Skip to content

XXE vulnerability  #55

New issue
New issue
Closed
Closed
XXE vulnerability #55
Labels
enhancement
@seanboylan

Description

@seanboylan
seanboylan
opened on Jun 1, 2016

ezvcard.util.XMLUtils

private static Document toDocument(InputSource in) throws SAXException, IOException {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    factory.setIgnoringComments(true);

    DocumentBuilder builder;
    try {
        builder = factory.newDocumentBuilder();
    } catch (ParserConfigurationException e) {
        //should never be thrown because we're not doing anything fancy with the configuration
        throw new RuntimeException(e);
    }

    return builder.parse(in);
}

Has an XXE vulnerability - Please dsiable External xml entity processing:

References:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions