Closed jxs-xx closed 5 years ago
XMLConverUtil 的convertToObject代码里依然存在XXE漏洞 jaxb需要添加一下处理代码
JAXBContext jaxbContext = JAXBContext.newInstance(clazz); XMLInputFactory xif = XMLInputFactory.newFactory(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, true); XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml)); Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); return (T)unmarshaller.unmarshal(xsr);
@jxs-xx dev 开发分支上已做修改 ,预计8月中旬发布新版本。
XMLConverUtil 的convertToObject代码里依然存在XXE漏洞 jaxb需要添加一下处理代码