From 028d135282b1d00d1fa79406daef33a41f92e597 Mon Sep 17 00:00:00 2001 From: 0x7674 Date: Mon, 26 Sep 2016 05:54:54 -0400 Subject: [PATCH 1/2] Removed external entity, doctype, etc support from policy file parsing. --- .../java/org/owasp/validator/html/Policy.java | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/main/java/org/owasp/validator/html/Policy.java b/src/main/java/org/owasp/validator/html/Policy.java index 839d7669..8c8074e9 100644 --- a/src/main/java/org/owasp/validator/html/Policy.java +++ b/src/main/java/org/owasp/validator/html/Policy.java @@ -276,6 +276,19 @@ private static Element getTopLevelElement(InputStream is) throws PolicyException protected static Element getTopLevelElement(InputSource source) throws PolicyException { try { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + + /** + * Disable external entities, etc. + */ + String FEATURE = null; + FEATURE = "http://xml.org/sax/features/external-general-entities"; + dbf.setFeature(FEATURE, false); + FEATURE = "http://xml.org/sax/features/external-parameter-entities"; + dbf.setFeature(FEATURE, false); + FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; + dbf.setFeature(FEATURE, true); + FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; + dbf.setFeature(FEATURE, false); DocumentBuilder db = dbf.newDocumentBuilder(); Document dom = db.parse(source); return dom.getDocumentElement(); @@ -353,6 +366,19 @@ private static Element getPolicy(String href, URL baseUrl) } DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + + /** + * Disable external entities, etc. + */ + String FEATURE = null; + FEATURE = "http://xml.org/sax/features/external-general-entities"; + dbf.setFeature(FEATURE, false); + FEATURE = "http://xml.org/sax/features/external-parameter-entities"; + dbf.setFeature(FEATURE, false); + FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; + dbf.setFeature(FEATURE, true); + FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; + dbf.setFeature(FEATURE, false); DocumentBuilder db = dbf.newDocumentBuilder(); Document dom; From 979ef569d53f284c2ffc2a594aabdd525642e29f Mon Sep 17 00:00:00 2001 From: vt Date: Tue, 29 Nov 2016 19:39:18 -0500 Subject: [PATCH 2/2] Cleaner disabling of XXE vectors --- .../java/org/owasp/validator/html/Policy.java | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/src/main/java/org/owasp/validator/html/Policy.java b/src/main/java/org/owasp/validator/html/Policy.java index 8c8074e9..eaf99099 100644 --- a/src/main/java/org/owasp/validator/html/Policy.java +++ b/src/main/java/org/owasp/validator/html/Policy.java @@ -80,6 +80,10 @@ public class Policy { public static final String PRESERVE_SPACE = "preserveSpace"; public static final String PRESERVE_COMMENTS = "preserveComments"; public static final String ENTITY_ENCODE_INTL_CHARS = "entityEncodeIntlChars"; + public static final String EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities"; + public static final String EXTERNAL_PARAM_ENTITIES = "http://xml.org/sax/features/external-parameter-entities"; + public static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl"; + public static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; public static final String ACTION_VALIDATE = "validate"; public static final String ACTION_FILTER = "filter"; @@ -280,15 +284,10 @@ protected static Element getTopLevelElement(InputSource source) throws PolicyExc /** * Disable external entities, etc. */ - String FEATURE = null; - FEATURE = "http://xml.org/sax/features/external-general-entities"; - dbf.setFeature(FEATURE, false); - FEATURE = "http://xml.org/sax/features/external-parameter-entities"; - dbf.setFeature(FEATURE, false); - FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; - dbf.setFeature(FEATURE, true); - FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; - dbf.setFeature(FEATURE, false); + dbf.setFeature(EXTERNAL_GENERAL_ENTITIES, false); + dbf.setFeature(EXTERNAL_PARAM_ENTITIES, false); + dbf.setFeature(DISALLOW_DOCTYPE_DECL, true); + dbf.setFeature(LOAD_EXTERNAL_DTD, false); DocumentBuilder db = dbf.newDocumentBuilder(); Document dom = db.parse(source); return dom.getDocumentElement(); @@ -370,15 +369,10 @@ private static Element getPolicy(String href, URL baseUrl) /** * Disable external entities, etc. */ - String FEATURE = null; - FEATURE = "http://xml.org/sax/features/external-general-entities"; - dbf.setFeature(FEATURE, false); - FEATURE = "http://xml.org/sax/features/external-parameter-entities"; - dbf.setFeature(FEATURE, false); - FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; - dbf.setFeature(FEATURE, true); - FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; - dbf.setFeature(FEATURE, false); + dbf.setFeature(EXTERNAL_GENERAL_ENTITIES, false); + dbf.setFeature(EXTERNAL_PARAM_ENTITIES, false); + dbf.setFeature(DISALLOW_DOCTYPE_DECL, true); + dbf.setFeature(LOAD_EXTERNAL_DTD, false); DocumentBuilder db = dbf.newDocumentBuilder(); Document dom;