owner/src/main/java/org/aeonbits/owner/loaders/XMLLoader.java

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,12 +8,14 @@ @@
     package org.aeonbits.owner.loaders;
+    import org.aeonbits.owner.loaders.XMLLoader.XmlToPropsHandler;
     import org.xml.sax.Attributes;
     import org.xml.sax.InputSource;
     import org.xml.sax.SAXException;
     import org.xml.sax.SAXParseException;
     import org.xml.sax.ext.DefaultHandler2;
+    import javax.xml.XMLConstants;
     import javax.xml.parsers.ParserConfigurationException;
     import javax.xml.parsers.SAXParser;
     import javax.xml.parsers.SAXParserFactory;
@@ Expand Down Expand Up / @@ -41,8 +43,21 @@ public class XMLLoader implements Loader { @@
         private synchronized SAXParserFactory factory() {
             if (factory == null) {
                 factory = SAXParserFactory.newInstance();
-                factory.setValidating(true);
+                try {
+                // Disable DOCTYPE declarations to prevent XXE attacks
+                factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                // Enable secure XML processing
+                factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                // These settings should come after security features
                 factory.setNamespaceAware(true);
+                // Note: Removed setValidating(true) as it can enable XXE vulnerabilities
+                // If validation is required, use an alternative approach with a Schema object
+                } catch (ParserConfigurationException e) {
+                    throw new IllegalStateException("Failed to configure secure XML parser", e);
+            }
             }
             return factory;
         }
@@ Expand Down @@

owner/src/main/java/org/aeonbits/owner/util/Reflection.java

-Original file line number
+Diff line change
@@ Expand Up / @@ -10,6 +10,8 @@ @@
     import java.lang.reflect.Method;
+    import org.aeonbits.owner.util.Reflection.Java8Support;
     /**
      * @author Luigi R. Viggiano
      */
@@ Expand All / @@ -24,7 +26,8 @@ public static boolean isClassAvailable(String className) { @@
         public static Class<?> forName(String className) {
             try {
-                return Class.forName(className);
+              // Use a specific trusted class's classloader instead of the context classloader
+              return AES.class.getClassLoader().loadClass(className);
             } catch (ClassNotFoundException e) {
                 return null;
             }
@@ Expand Down @@

Fix XXE Vulnerability in XML Parser Configuration #485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

th555555 wants to merge 2 commits into matteobaccan:master from th555555:master

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,12 +8,14 @@ @@
     package org.aeonbits.owner.loaders;
+    import org.aeonbits.owner.loaders.XMLLoader.XmlToPropsHandler;
     import org.xml.sax.Attributes;
     import org.xml.sax.InputSource;
     import org.xml.sax.SAXException;
     import org.xml.sax.SAXParseException;
     import org.xml.sax.ext.DefaultHandler2;
+    import javax.xml.XMLConstants;
     import javax.xml.parsers.ParserConfigurationException;
     import javax.xml.parsers.SAXParser;
     import javax.xml.parsers.SAXParserFactory;
@@ Expand Down Expand Up / @@ -41,8 +43,21 @@ public class XMLLoader implements Loader { @@
         private synchronized SAXParserFactory factory() {
             if (factory == null) {
                 factory = SAXParserFactory.newInstance();
-                factory.setValidating(true);
+                try {
+                // Disable DOCTYPE declarations to prevent XXE attacks
+                factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                // Enable secure XML processing
+                factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                // These settings should come after security features
                 factory.setNamespaceAware(true);
+                // Note: Removed setValidating(true) as it can enable XXE vulnerabilities
+                // If validation is required, use an alternative approach with a Schema object
+                } catch (ParserConfigurationException e) {
+                    throw new IllegalStateException("Failed to configure secure XML parser", e);
+            }
             }
             return factory;
         }
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -10,6 +10,8 @@ @@
     import java.lang.reflect.Method;
+    import org.aeonbits.owner.util.Reflection.Java8Support;
     /**
      * @author Luigi R. Viggiano
      */
@@ Expand All / @@ -24,7 +26,8 @@ public static boolean isClassAvailable(String className) { @@
         public static Class<?> forName(String className) {
             try {
-                return Class.forName(className);
+              // Use a specific trusted class's classloader instead of the context classloader
+              return AES.class.getClassLoader().loadClass(className);
             } catch (ClassNotFoundException e) {
                 return null;
             }
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix XXE Vulnerability in XML Parser Configuration #485

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Fix XXE Vulnerability in XML Parser Configuration #485

Are you sure you want to change the base?

Uh oh!

Fix XXE Vulnerability in XML Parser Configuration #485

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing