From f885bad9867cb4cf00af0da38bd43304ef3c0579 Mon Sep 17 00:00:00 2001 From: Jeremy Landis Date: Wed, 25 Sep 2024 18:54:18 -0400 Subject: [PATCH] [secure] Make sure secure processing on document builder factory --- pom.xml | 2 +- src/main/java/com/ibatis/common/xml/NodeletParser.java | 5 ++++- .../sqlmap/engine/mapping/statement/MappedStatement.java | 4 +++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 624eb79d..547ff6b9 100644 --- a/pom.xml +++ b/pom.xml @@ -23,7 +23,7 @@ org.mybatis mybatis-parent 45 - + org.mybatis diff --git a/src/main/java/com/ibatis/common/xml/NodeletParser.java b/src/main/java/com/ibatis/common/xml/NodeletParser.java index 2099e56c..cf085958 100644 --- a/src/main/java/com/ibatis/common/xml/NodeletParser.java +++ b/src/main/java/com/ibatis/common/xml/NodeletParser.java @@ -1,5 +1,5 @@ /* - * Copyright 2004-2022 the original author or authors. + * Copyright 2004-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +20,7 @@ import java.io.Reader; import java.util.*; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.FactoryConfigurationError; @@ -195,6 +196,7 @@ private void processNodelet(Node node, String pathString) { private Document createDocument(Reader reader) throws ParserConfigurationException, FactoryConfigurationError, SAXException, IOException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setValidating(validation); factory.setNamespaceAware(false); @@ -241,6 +243,7 @@ public void warning(SAXParseException exception) throws SAXException { private Document createDocument(InputStream inputStream) throws ParserConfigurationException, FactoryConfigurationError, SAXException, IOException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setValidating(validation); factory.setNamespaceAware(false); diff --git a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java index 3318c4af..cfd26595 100644 --- a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java +++ b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java @@ -1,5 +1,5 @@ /* - * Copyright 2004-2023 the original author or authors. + * Copyright 2004-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,6 +39,7 @@ import java.util.Arrays; import java.util.List; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -452,6 +453,7 @@ protected Object validateParameter(Object param) throws SQLException { private Document stringToDocument(String s) { try { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); + documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); return documentBuilder.parse(new ReaderInputStream(new StringReader(s))); } catch (Exception e) {