Merge pull request #2518 from JAckLosingHeart/main

Set FEATURE_SECURE_PROCESSING for DocumentBuilderFactory to remediate XXE (XML External Entity Injection) vulnerabilities
Atmosphere · Nov 7, 2024 · 46faee5 · 46faee5
2 parents ff31226 + d657e8a
commit 46faee5
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/modules/cpr/src/main/java/org/atmosphere/util/AtmosphereConfigReader.java b/modules/cpr/src/main/java/org/atmosphere/util/AtmosphereConfigReader.java
@@ -29,6 +29,7 @@
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import java.io.FileNotFoundException;
@@ -54,6 +55,7 @@ public AtmosphereConfig parse(AtmosphereConfig config, String filename) throws F
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         try {
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             return parse(config, factory.newDocumentBuilder().parse(filename));
         } catch (SAXException | IOException | ParserConfigurationException e) {
             logger.error(e.getMessage(), e);
@@ -66,6 +68,7 @@ public AtmosphereConfig parse(AtmosphereConfig config, InputStream stream) throw
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         try {
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             return parse(config, factory.newDocumentBuilder().parse(stream));
         } catch (SAXException | IOException | ParserConfigurationException e) {
             logger.error(e.getMessage(), e);