HDFS-16766. XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source (#4886)
Co-authored-by: Ashutosh Gupta <ashugpt@amazon.com> Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
This commit is contained in:
parent
5d20988f9f
commit
d9f435f6ac
@ -89,6 +89,11 @@ private List<ErasureCodingPolicy> loadECPolicies(File policyFile)
|
|||||||
// Read and parse the EC policy file.
|
// Read and parse the EC policy file.
|
||||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||||
dbf.setIgnoringComments(true);
|
dbf.setIgnoringComments(true);
|
||||||
|
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||||
|
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||||
|
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||||
|
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||||
|
dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false);
|
||||||
DocumentBuilder builder = dbf.newDocumentBuilder();
|
DocumentBuilder builder = dbf.newDocumentBuilder();
|
||||||
Document doc = builder.parse(policyFile);
|
Document doc = builder.parse(policyFile);
|
||||||
Element root = doc.getDocumentElement();
|
Element root = doc.getDocumentElement();
|
||||||
|
Loading…
Reference in New Issue
Block a user