Disallow XXE by default #8

eerohele · Jan 17, 2024 · 0fc3e72 · 0fc3e72
1 parent 5c9c3d3
commit 0fc3e72
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,11 @@
 # Change Log
 All notable changes to this project will be documented in this file. This change log follows the conventions of [keepachangelog.com](http://keepachangelog.com/).
 
+## 1.1.0 (2024-01-17)
+- **BREAKING**: Disallow XXE by default #8
+
+  While Sigel does not normally make breaking changes; security issues are an exception. Clojure [sets a precedent](https://github.com/clojure/clojure/commit/4a4a6e7717d411679820c4a3ce735a77aef45cc3) for the same issue.
+
 ## 1.0.3 (2023-04-27)
 - Extend `XMLSource` to `InputStream`
 

diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>me.flowthing</groupId>
   <artifactId>sigel</artifactId>
-  <version>1.0.3</version>
+  <version>1.1.0</version>
   <name>sigel</name>
   <dependencies>
     <dependency>

diff --git a/src/sigel/saxon.clj b/src/sigel/saxon.clj
@@ -1,5 +1,6 @@
 (ns sigel.saxon
   (:import (net.sf.saxon Configuration)
+           (net.sf.saxon.lib FeatureKeys)
            (net.sf.saxon.s9api DocumentBuilder Processor)))
 
 
@@ -10,7 +11,10 @@
 
 (def ^Processor processor
   "A default Saxon [Processor](http://www.saxonica.com/html/documentation/javadoc/net/sf/saxon/s9api/Processor.html)."
-  (Processor. configuration))
+  (doto (Processor. configuration)
+    (.setConfigurationProperty (str FeatureKeys/XML_PARSER_FEATURE "http://apache.org/xml/features/nonvalidating/load-external-dtd") false)
+    (.setConfigurationProperty (str FeatureKeys/XML_PARSER_FEATURE "http://xml.org/sax/features/external-general-entities") false)
+    (.setConfigurationProperty (str FeatureKeys/XML_PARSER_FEATURE "http://xml.org/sax/features/external-parameter-entities") false)))
 
 
 (def ^DocumentBuilder builder

diff --git a/test/sigel/xpath_test.clj b/test/sigel/xpath_test.clj
@@ -49,3 +49,8 @@
                      "<num>1</num>" "num[xs:integer(.) eq $one]"
                      {:one 1})
         ["<num>1</num>"])))
+
+(deftest issue-8
+  (is (empty?
+        (xpath/value-of
+          "<!DOCTYPE x [<!ELEMENT x ANY> <!ENTITY xxe SYSTEM 'file:///etc/hostname'>]><x>&xxe;</x>""/x"))))