Skip to content

Commit 4bd943c

Browse files
flavorjonesflavorjones
committed
fix(jruby): SAX parser uses an entity resolver
to avoid XXE injections. This behavior now matches the CRuby implementation.
1 parent f943ee4 commit 4bd943c

File tree

2 files changed

+34
-0
lines changed

2 files changed

+34
-0
lines changed

ext/java/nokogiri/XmlSaxParserContext.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,7 @@ public class XmlSaxParserContext extends ParserContext
225225
preParse(runtime, handlerRuby, handler);
226226
parser.setContentHandler(handler);
227227
parser.setErrorHandler(handler);
228+
parser.setEntityResolver(new NokogiriEntityResolver(runtime, errorHandler, options));
228229

229230
try {
230231
parser.setProperty("http://xml.org/sax/properties/lexical-handler", handler);

test/xml/sax/test_parser.rb

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -426,5 +426,38 @@ def call_parse_io_with_encoding(encoding)
426426

427427
assert_predicate(handler.errors, :empty?)
428428
end
429+
430+
it "does not resolve entities by default" do
431+
xml = <<~EOF
432+
<?xml version="1.0" encoding="UTF-8"?>
433+
<!DOCTYPE doc [
434+
<!ENTITY local SYSTEM "file:///#{File.expand_path(__FILE__)}">
435+
<!ENTITY custom "resolved>
436+
]>
437+
<doc><foo>&local;</foo><foo>&custom;</foo></doc>
438+
EOF
439+
440+
doc = Doc.new
441+
parser = Nokogiri::XML::SAX::Parser.new(doc)
442+
parser.parse(xml)
443+
444+
assert_nil(doc.data)
445+
end
446+
447+
it "does not resolve network external entities by default" do
448+
xml = <<~EOF
449+
<?xml version="1.0" encoding="UTF-8"?>
450+
<!DOCTYPE doc [
451+
<!ENTITY remote SYSTEM "http://0.0.0.0:8080/evil.dtd">
452+
]>
453+
<doc><foo>&remote;</foo></doc>
454+
EOF
455+
456+
doc = Doc.new
457+
parser = Nokogiri::XML::SAX::Parser.new(doc)
458+
parser.parse(xml)
459+
460+
assert_nil(doc.data)
461+
end
429462
end
430463
end

0 commit comments

Comments
 (0)