From f901c9419df80f3d8e7032303d5d4f06ed4a64eb Mon Sep 17 00:00:00 2001 From: Looly Date: Fri, 16 Jun 2023 20:23:13 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE-2023-3276=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E=EF=BC=8CXmlUtil.readBySax=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../core/convert/impl/StringConverter.java | 2 +- .../hutool/core/{util => xml}/XmlUtil.java | 58 +++++++++---------- .../dromara/hutool/core/xml/package-info.java | 19 ++++++ .../hutool/core/util/Issue3136Test.java | 1 + .../dromara/hutool/core/util/XmlUtilTest.java | 4 +- .../dromara/hutool/extra/xml/JAXBUtil.java | 2 +- .../dromara/hutool/http/html/HtmlUtil.java | 2 +- .../hutool/http/webservice/SoapClient.java | 2 +- .../hutool/http/webservice/SoapUtil.java | 2 +- .../dromara/hutool/json/Issue3139Test.java | 3 +- .../dromara/hutool/json/IssueI676ITTest.java | 2 +- 11 files changed, 55 insertions(+), 42 deletions(-) rename hutool-core/src/main/java/org/dromara/hutool/core/{util => xml}/XmlUtil.java (97%) create mode 100755 hutool-core/src/main/java/org/dromara/hutool/core/xml/package-info.java diff --git a/hutool-core/src/main/java/org/dromara/hutool/core/convert/impl/StringConverter.java b/hutool-core/src/main/java/org/dromara/hutool/core/convert/impl/StringConverter.java index da1cfee25..1f3369ff1 100644 --- a/hutool-core/src/main/java/org/dromara/hutool/core/convert/impl/StringConverter.java +++ b/hutool-core/src/main/java/org/dromara/hutool/core/convert/impl/StringConverter.java @@ -17,7 +17,7 @@ import org.dromara.hutool.core.convert.ConvertException; import org.dromara.hutool.core.io.IoUtil; import org.dromara.hutool.core.map.MapUtil; import org.dromara.hutool.core.util.CharsetUtil; -import org.dromara.hutool.core.util.XmlUtil; +import org.dromara.hutool.core.xml.XmlUtil; import java.io.InputStream; import java.io.Reader; diff --git a/hutool-core/src/main/java/org/dromara/hutool/core/util/XmlUtil.java b/hutool-core/src/main/java/org/dromara/hutool/core/xml/XmlUtil.java similarity index 97% rename from hutool-core/src/main/java/org/dromara/hutool/core/util/XmlUtil.java rename to hutool-core/src/main/java/org/dromara/hutool/core/xml/XmlUtil.java index ebc4131aa..341d4b971 100644 --- a/hutool-core/src/main/java/org/dromara/hutool/core/util/XmlUtil.java +++ b/hutool-core/src/main/java/org/dromara/hutool/core/xml/XmlUtil.java @@ -10,26 +10,22 @@ * See the Mulan PSL v2 for more details. */ -package org.dromara.hutool.core.util; +package org.dromara.hutool.core.xml; import org.dromara.hutool.core.bean.BeanUtil; import org.dromara.hutool.core.collection.CollUtil; import org.dromara.hutool.core.collection.ListUtil; import org.dromara.hutool.core.exception.HutoolException; -import org.dromara.hutool.core.io.file.FileUtil; import org.dromara.hutool.core.io.IORuntimeException; import org.dromara.hutool.core.io.IoUtil; +import org.dromara.hutool.core.io.file.FileUtil; import org.dromara.hutool.core.lang.Assert; -import org.dromara.hutool.core.lang.Console; import org.dromara.hutool.core.map.BiMap; import org.dromara.hutool.core.map.MapUtil; import org.dromara.hutool.core.text.StrUtil; import org.dromara.hutool.core.text.escape.EscapeUtil; -import org.w3c.dom.Document; -import org.w3c.dom.Element; -import org.w3c.dom.NamedNodeMap; -import org.w3c.dom.Node; -import org.w3c.dom.NodeList; +import org.dromara.hutool.core.util.CharsetUtil; +import org.w3c.dom.*; import org.xml.sax.ContentHandler; import org.xml.sax.InputSource; import org.xml.sax.SAXException; @@ -39,16 +35,8 @@ import org.xml.sax.helpers.DefaultHandler; import javax.xml.XMLConstants; import javax.xml.namespace.NamespaceContext; import javax.xml.namespace.QName; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParser; -import javax.xml.parsers.SAXParserFactory; -import javax.xml.transform.OutputKeys; -import javax.xml.transform.Result; -import javax.xml.transform.Source; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerFactory; +import javax.xml.parsers.*; +import javax.xml.transform.*; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import javax.xml.xpath.XPath; @@ -56,20 +44,8 @@ import javax.xml.xpath.XPathConstants; import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; import java.beans.XMLEncoder; -import java.io.BufferedInputStream; -import java.io.BufferedWriter; -import java.io.File; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.io.Reader; -import java.io.StringWriter; -import java.io.Writer; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.Map; +import java.io.*; +import java.util.*; /** * XML工具类
@@ -309,6 +285,16 @@ public class XmlUtil { factory = SAXParserFactory.newInstance(); factory.setValidating(false); factory.setNamespaceAware(namespaceAware); + + // https://blog.spoock.com/2018/10/23/java-xxe/ + try{ + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + } catch (final Exception ignore){ + // ignore + } } // 2.从解析工厂获取解析器 final SAXParser parse; @@ -323,8 +309,15 @@ public class XmlUtil { // 3.得到解读器 reader = parse.getXMLReader(); // 防止XEE攻击,见:https://www.jianshu.com/p/1a857905b22c + // https://blog.spoock.com/2018/10/23/java-xxe/ + reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + // 忽略外部DTD + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); + // 不包括外部一般实体。 reader.setFeature("http://xml.org/sax/features/external-general-entities",false); + // 不包含外部参数实体或外部DTD子集。 reader.setFeature("http://xml.org/sax/features/external-parameter-entities",false); + reader.setContentHandler(contentHandler); reader.parse(source); } catch (final ParserConfigurationException | SAXException e) { @@ -654,6 +647,7 @@ public class XmlUtil { } else { factory = DocumentBuilderFactory.newInstance(); } + // 默认打开NamespaceAware,getElementsByTagNameNS可以使用命名空间 factory.setNamespaceAware(namespaceAware); return disableXXE(factory); diff --git a/hutool-core/src/main/java/org/dromara/hutool/core/xml/package-info.java b/hutool-core/src/main/java/org/dromara/hutool/core/xml/package-info.java new file mode 100755 index 000000000..74e4d1785 --- /dev/null +++ b/hutool-core/src/main/java/org/dromara/hutool/core/xml/package-info.java @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2023 looly(loolly@aliyun.com) + * Hutool is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + */ + +/** + * XML相关工具封装 + * + * @author looly + * @since 6.0.0 + */ +package org.dromara.hutool.core.xml; diff --git a/hutool-core/src/test/java/org/dromara/hutool/core/util/Issue3136Test.java b/hutool-core/src/test/java/org/dromara/hutool/core/util/Issue3136Test.java index b149678e7..bbd50d36b 100755 --- a/hutool-core/src/test/java/org/dromara/hutool/core/util/Issue3136Test.java +++ b/hutool-core/src/test/java/org/dromara/hutool/core/util/Issue3136Test.java @@ -13,6 +13,7 @@ package org.dromara.hutool.core.util; import lombok.Data; +import org.dromara.hutool.core.xml.XmlUtil; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; diff --git a/hutool-core/src/test/java/org/dromara/hutool/core/util/XmlUtilTest.java b/hutool-core/src/test/java/org/dromara/hutool/core/util/XmlUtilTest.java index cb3ea50dd..ac6aebe12 100644 --- a/hutool-core/src/test/java/org/dromara/hutool/core/util/XmlUtilTest.java +++ b/hutool-core/src/test/java/org/dromara/hutool/core/util/XmlUtilTest.java @@ -12,6 +12,7 @@ package org.dromara.hutool.core.util; +import lombok.Data; import org.dromara.hutool.core.bean.BeanUtil; import org.dromara.hutool.core.collection.ListUtil; import org.dromara.hutool.core.collection.set.SetUtil; @@ -19,8 +20,7 @@ import org.dromara.hutool.core.io.resource.ResourceUtil; import org.dromara.hutool.core.lang.Console; import org.dromara.hutool.core.map.MapBuilder; import org.dromara.hutool.core.map.MapUtil; -import lombok.Data; -import org.dromara.hutool.core.util.XmlUtil; +import org.dromara.hutool.core.xml.XmlUtil; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; diff --git a/hutool-extra/src/main/java/org/dromara/hutool/extra/xml/JAXBUtil.java b/hutool-extra/src/main/java/org/dromara/hutool/extra/xml/JAXBUtil.java index 3db4f5a1d..e4880af88 100644 --- a/hutool-extra/src/main/java/org/dromara/hutool/extra/xml/JAXBUtil.java +++ b/hutool-extra/src/main/java/org/dromara/hutool/extra/xml/JAXBUtil.java @@ -17,7 +17,7 @@ import org.dromara.hutool.core.io.file.FileUtil; import org.dromara.hutool.core.io.IoUtil; import org.dromara.hutool.core.text.StrUtil; import org.dromara.hutool.core.util.CharsetUtil; -import org.dromara.hutool.core.util.XmlUtil; +import org.dromara.hutool.core.xml.XmlUtil; import javax.xml.bind.JAXBContext; import javax.xml.bind.Marshaller; diff --git a/hutool-http/src/main/java/org/dromara/hutool/http/html/HtmlUtil.java b/hutool-http/src/main/java/org/dromara/hutool/http/html/HtmlUtil.java index 554c1f91c..a0dda9e5e 100644 --- a/hutool-http/src/main/java/org/dromara/hutool/http/html/HtmlUtil.java +++ b/hutool-http/src/main/java/org/dromara/hutool/http/html/HtmlUtil.java @@ -17,7 +17,7 @@ import org.dromara.hutool.core.regex.ReUtil; import org.dromara.hutool.core.text.StrUtil; import org.dromara.hutool.core.text.escape.EscapeUtil; import org.dromara.hutool.core.util.CharsetUtil; -import org.dromara.hutool.core.util.XmlUtil; +import org.dromara.hutool.core.xml.XmlUtil; import java.io.InputStream; import java.nio.charset.Charset; diff --git a/hutool-http/src/main/java/org/dromara/hutool/http/webservice/SoapClient.java b/hutool-http/src/main/java/org/dromara/hutool/http/webservice/SoapClient.java index 0adf9f27f..b34277a4e 100644 --- a/hutool-http/src/main/java/org/dromara/hutool/http/webservice/SoapClient.java +++ b/hutool-http/src/main/java/org/dromara/hutool/http/webservice/SoapClient.java @@ -19,7 +19,7 @@ import org.dromara.hutool.core.text.StrUtil; import org.dromara.hutool.core.text.split.SplitUtil; import org.dromara.hutool.core.util.CharsetUtil; import org.dromara.hutool.core.util.ObjUtil; -import org.dromara.hutool.core.util.XmlUtil; +import org.dromara.hutool.core.xml.XmlUtil; import org.dromara.hutool.http.client.HeaderOperation; import org.dromara.hutool.http.client.Request; import org.dromara.hutool.http.client.Response; diff --git a/hutool-http/src/main/java/org/dromara/hutool/http/webservice/SoapUtil.java b/hutool-http/src/main/java/org/dromara/hutool/http/webservice/SoapUtil.java index f2b363838..1a054373a 100644 --- a/hutool-http/src/main/java/org/dromara/hutool/http/webservice/SoapUtil.java +++ b/hutool-http/src/main/java/org/dromara/hutool/http/webservice/SoapUtil.java @@ -22,7 +22,7 @@ import javax.xml.soap.SOAPMessage; import org.dromara.hutool.core.exception.HutoolException; import org.dromara.hutool.core.util.CharsetUtil; -import org.dromara.hutool.core.util.XmlUtil; +import org.dromara.hutool.core.xml.XmlUtil; /** * SOAP相关工具类 diff --git a/hutool-json/src/test/java/org/dromara/hutool/json/Issue3139Test.java b/hutool-json/src/test/java/org/dromara/hutool/json/Issue3139Test.java index 1e59a597a..59bfbd483 100755 --- a/hutool-json/src/test/java/org/dromara/hutool/json/Issue3139Test.java +++ b/hutool-json/src/test/java/org/dromara/hutool/json/Issue3139Test.java @@ -13,8 +13,7 @@ package org.dromara.hutool.json; import lombok.Data; -import org.dromara.hutool.core.lang.Console; -import org.dromara.hutool.core.util.XmlUtil; +import org.dromara.hutool.core.xml.XmlUtil; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; diff --git a/hutool-json/src/test/java/org/dromara/hutool/json/IssueI676ITTest.java b/hutool-json/src/test/java/org/dromara/hutool/json/IssueI676ITTest.java index b7c04a086..4cbf87eaf 100644 --- a/hutool-json/src/test/java/org/dromara/hutool/json/IssueI676ITTest.java +++ b/hutool-json/src/test/java/org/dromara/hutool/json/IssueI676ITTest.java @@ -1,7 +1,7 @@ package org.dromara.hutool.json; import org.dromara.hutool.core.io.resource.ResourceUtil; -import org.dromara.hutool.core.util.XmlUtil; +import org.dromara.hutool.core.xml.XmlUtil; import org.dromara.hutool.json.xml.JSONXMLSerializer; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test;