From 5391c9b97c054df6750413966bd8a14a0136b76a Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com>
Date: Fri, 26 Jan 2024 20:13:04 +0000
Subject: [PATCH] Introduced protections against XXE attacks
---
pom.xml | 10 ++++++++++
.../org/owasp/webgoat/lessons/xxe/CommentsCache.java | 3 ++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index ace58b581..1183dd0e0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -147,6 +147,7 @@
1.5.2
1.0.2
+ 1.1.1
@@ -254,6 +255,11 @@
java-security-toolkit-xstream
${versions.java-security-toolkit-xstream}
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+
@@ -403,6 +409,10 @@
io.github.pixee
java-security-toolkit-xstream
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
index b949f0abe..a6e3ff5a6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
@@ -22,6 +22,7 @@
package org.owasp.webgoat.lessons.xxe;
+import static io.github.pixee.security.XMLInputFactorySecurity.hardenFactory;
import static java.util.Optional.empty;
import static java.util.Optional.of;
@@ -95,7 +96,7 @@ protected Comments getComments() {
*/
protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
var jc = JAXBContext.newInstance(Comment.class);
- var xif = XMLInputFactory.newInstance();
+ var xif = hardenFactory(XMLInputFactory.newInstance());
if (webSession.isSecurityEnabled()) {
xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant