Better configure DocumentBuilderFactory to help prevent XXE (#2132)

For more information see: https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE
google · Aug 30, 2023 · 6b5ec36 · 6b5ec36
1 parent ebf0783
commit 6b5ec36
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/core/src/main/java/google/registry/flows/EppXmlSanitizer.java b/core/src/main/java/google/registry/flows/EppXmlSanitizer.java
@@ -165,6 +165,9 @@ private static XMLInputFactory createXmlInputFactory() {
     xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
     // Preserve Name Space information.
     xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
+    // Prevent XXE attacks.
+    xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+    xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
     return xmlInputFactory;
   }
 }
diff --git a/core/src/main/java/google/registry/tmch/TmchXmlSignature.java b/core/src/main/java/google/registry/tmch/TmchXmlSignature.java
@@ -111,6 +111,10 @@ private static Document parseSmdDocument(InputStream input)
     dbf.setSchema(SCHEMA);
     dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", false);
     dbf.setNamespaceAware(true);
+    // Disable DTDs
+    dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    dbf.setXIncludeAware(false); // disable XML Inclusions
+    dbf.setExpandEntityReferences(false); // disable expand entity reference nodes
     return dbf.newDocumentBuilder().parse(input);
   }
 

diff --git a/prober/src/main/java/google/registry/monitoring/blackbox/message/EppMessage.java b/prober/src/main/java/google/registry/monitoring/blackbox/message/EppMessage.java
@@ -153,6 +153,14 @@ public class EppMessage {
     xpath = XPathFactory.newInstance().newXPath();
     xpath.setNamespaceContext(new EppNamespaceContext());
     docBuilderFactory.setNamespaceAware(true);
+    try {
+      // Disable DTDs
+      docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    } catch (ParserConfigurationException e) {
+      throw new RuntimeException("Error configuring DocumentBuilderFactory", e);
+    }
+    docBuilderFactory.setXIncludeAware(false); // disable XML Inclusions
+    docBuilderFactory.setExpandEntityReferences(false); // disable expand entity reference nodes
 
     String path = "./xsd/";
     StreamSource[] sources;