From d9f435f6acabb28ab8a670a4a9081f0164008b1e Mon Sep 17 00:00:00 2001 From: Ashutosh Gupta Date: Tue, 27 Sep 2022 07:44:25 +0100 Subject: [PATCH] HDFS-16766. XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source (#4886) Co-authored-by: Ashutosh Gupta Signed-off-by: Akira Ajisaka --- .../java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java index fb15926dce..fcba618c94 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java +++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/util/ECPolicyLoader.java @@ -89,6 +89,11 @@ private List loadECPolicies(File policyFile) // Read and parse the EC policy file. DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setIgnoringComments(true); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse(policyFile); Element root = doc.getDocumentElement();