add test and additional disallow-doctype-decl to disallow it on parsing via disallow declaration of doctypes and also disallowinf xincludes as recommended in https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller

ymo-sci · ymo-sci · commit 4116001ff640 · 2024-12-10T11:35:44.000+01:00
- fixes: SIRI-1037
diff --git a/src/main/java/sirius/kernel/xml/XMLReader.java b/src/main/java/sirius/kernel/xml/XMLReader.java
@@ -182,6 +182,8 @@ public void parse(InputStream stream, Function<String, InputStream> resourceLoca
         try (stream) {
             SAXParserFactory factory = SAXParserFactory.newInstance();
             factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setXIncludeAware(false);
             SAXParser saxParser = factory.newSAXParser();
             org.xml.sax.XMLReader reader = saxParser.getXMLReader();
             reader.setEntityResolver(new EntityResolver() {
diff --git a/src/test/kotlin/sirius/kernel/xml/XmlReaderTest.kt b/src/test/kotlin/sirius/kernel/xml/XmlReaderTest.kt
@@ -9,11 +9,13 @@
 package sirius.kernel.xml
 
 import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertThrows
 import org.junit.jupiter.api.extension.ExtendWith
 import sirius.kernel.SiriusExtension
 import sirius.kernel.commons.ValueHolder
 import sirius.kernel.health.Counter
 import java.io.ByteArrayInputStream
+import java.io.IOException
 import kotlin.test.assertEquals
 import kotlin.test.assertFalse
 import kotlin.test.assertTrue
@@ -138,4 +140,24 @@ internal class XmlReaderTest {
         assertEquals(0, attributes.size)
         assertEquals("", attribute.get())
     }
+
+    @Test
+    fun `Reading an external entity is not allowed`() {
+        val readString = ValueHolder.of<String?>(null)
+        val reader = XMLReader()
+        reader.addHandler("root") { node: StructuredNode ->
+            readString.set(node.queryString("."))
+        }
+        assertThrows<IOException> {
+            reader.parse(
+                ByteArrayInputStream(//language=xml
+                    """
+                            <?xml version="1.0" encoding="UTF-8"?> 
+                            <!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/hosts">]> 
+                            <root>&xxe;</root>
+                        """.trimIndent().toByteArray()
+                )
+            )
+        }
+    }
 }
