From 5391c9b97c054df6750413966bd8a14a0136b76a Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com> Date: Fri, 26 Jan 2024 20:13:04 +0000 Subject: [PATCH] Introduced protections against XXE attacks --- pom.xml | 10 ++++++++++ .../org/owasp/webgoat/lessons/xxe/CommentsCache.java | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ace58b581..1183dd0e0 100644 --- a/pom.xml +++ b/pom.xml @@ -147,6 +147,7 @@ 1.5.2 1.0.2 + 1.1.1 @@ -254,6 +255,11 @@ java-security-toolkit-xstream ${versions.java-security-toolkit-xstream} + + io.github.pixee + java-security-toolkit + ${versions.java-security-toolkit} + @@ -403,6 +409,10 @@ io.github.pixee java-security-toolkit-xstream + + io.github.pixee + java-security-toolkit + diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java index b949f0abe..a6e3ff5a6 100644 --- a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java +++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java @@ -22,6 +22,7 @@ package org.owasp.webgoat.lessons.xxe; +import static io.github.pixee.security.XMLInputFactorySecurity.hardenFactory; import static java.util.Optional.empty; import static java.util.Optional.of; @@ -95,7 +96,7 @@ protected Comments getComments() { */ protected Comment parseXml(String xml) throws JAXBException, XMLStreamException { var jc = JAXBContext.newInstance(Comment.class); - var xif = XMLInputFactory.newInstance(); + var xif = hardenFactory(XMLInputFactory.newInstance()); if (webSession.isSecurityEnabled()) { xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant