search

aws-amplify / aws-sdk-android

AWS SDK for Android. For more information, see our web site:
https://docs.amplify.aws
Other
1.02k stars 549 forks source link

ParserConfigurationException when using XpathUtils #3336

Closed noropoly closed 1 year ago

noropoly commented 1 year ago

Describe the bug ParserConfigurationException when using XpathUtils

To Reproduce

  1. Shift the device time by one hour.
  2. Call AmazonS3Client#getObject().
  3. When parsing the response body, XpathUtils is accessed and an exception is raised.

Which AWS service(s) are affected? Amazon S3

Expected behavior Correctly parse the response body and correctly handle "RequestTimeTooSkewed" error.

Screenshots

XpathUtils.java

    private static DocumentBuilderFactory getDocumentBuilderFactory() {
        try {
            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
            dbf.setXIncludeAware(false); // Default false for java 8. Disable XML Inclusions leading to SSRF - https://portswigger.net/web-security/xxe/lab-xinclude-attack
            dbf.setExpandEntityReferences(false);
            return dbf;
        }
        catch (ParserConfigurationException exception){
            return null;
        }
    }

PerserConfigurationException

Environment Information (please complete the following information):

Additional context This modification seems to have affected.

tylerjroach commented 1 year ago

@noropoly Thank you for the report. We have done further testing and confirmed a fix to revert the change. https://github.com/aws-amplify/aws-sdk-android/pull/3353

eeatonaws commented 1 year ago

A fix has been released in AWS SDK for Android 2.72.0. Please let us know if you have any additional questions.