search

mangstadt / ez-vcard

A vCard parser library for Java
Other
399 stars 92 forks source link

XXE vulnerability #55

Closed seanboylan closed 8 years ago

seanboylan commented 8 years ago

ezvcard.util.XMLUtils

private static Document toDocument(InputSource in) throws SAXException, IOException {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    factory.setIgnoringComments(true);

    DocumentBuilder builder;
    try {
        builder = factory.newDocumentBuilder();
    } catch (ParserConfigurationException e) {
        //should never be thrown because we're not doing anything fancy with the configuration
        throw new RuntimeException(e);
    }

    return builder.parse(in);
}

Has an XXE vulnerability - Please dsiable External xml entity processing:

References: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

mangstadt commented 8 years ago

Thank you for reporting this, Sean. I will look into it.

mangstadt commented 8 years ago

Fixed in e7822b75b8825c659408830d4ff80b92ebcdb9f3.