Commit ea483d902fe7127926fd074fd550270a22b5f484

Authored by Alan Davis
1 parent 05e8cf5233
Exists in master

REPO-480 Platform XXE protection implements OWASP recommendations

- Comment out default config and tests so that XmlFactory is logically the same as it was before the new OWASP changes.
     This is to get the builds green again, while working other issues.
src/main/java/org/alfresco/xmlfactory/FactoryHelper.java
... ... @@ -59,25 +59,30 @@ class FactoryHelper
59 59 FEATURE_USE_ENTITY_RESOLVER2,
60 60 FEATURE_LOAD_EXTERNAL_DTD,
61 61  
62   - ADDITIONAL_FEATURE_X_INCLUDE_AWARE,
63   - ADDITIONAL_FEATURE_EXPAND_ENTITY_REFERENCES)));
  62 + ADDITIONAL_FEATURE_X_INCLUDE_AWARE
  63 +// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
  64 +// , ADDITIONAL_FEATURE_EXPAND_ENTITY_REFERENCES
  65 + )));
64 66  
65 67 final static List<String> DEFAULT_FEATURES_TO_ENABLE = Collections.unmodifiableList(new ArrayList<>(
66 68 Arrays.asList(
67   - XMLConstants.FEATURE_SECURE_PROCESSING,
68   - FEATURE_DISALLOW_DOCTYPE)));
  69 + XMLConstants.FEATURE_SECURE_PROCESSING
  70 +// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
  71 +// , FEATURE_DISALLOW_DOCTYPE
  72 + )));
69 73  
70 74 /* white list of classes that can use the parsers with no security restrictions */
71 75 final static List<String> DEFAULT_WHITE_LIST_CALLERS = Collections.unmodifiableList(new ArrayList<>(
72 76 Arrays.asList(
73   - "com.sun.xml.ws.transport.http.servlet.WSServletContextListener",
74   - "org.springframework.beans.factory.xml.XmlBeanDefinitionReader",
75   - "org.springframework.beans.factory.support.AbstractBeanFactory",
76   - "org.apache.myfaces.config.FacesConfigurator",
77   - "org.hibernate.cfg.Configuration",
78   - "org.alfresco.ibatis.HierarchicalXMLConfigBuilder",
79   - "org.alfresco.repo.security.permissions.impl.model.PermissionModel",
80   - "org.activiti.engine.impl.cfg.ProcessEngineConfigurationImpl"
  77 +// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
  78 +// "com.sun.xml.ws.transport.http.servlet.WSServletContextListener",
  79 +// "org.springframework.beans.factory.xml.XmlBeanDefinitionReader",
  80 +// "org.springframework.beans.factory.support.AbstractBeanFactory",
  81 +// "org.apache.myfaces.config.FacesConfigurator",
  82 +// "org.hibernate.cfg.Configuration",
  83 +// "org.alfresco.ibatis.HierarchicalXMLConfigBuilder",
  84 +// "org.alfresco.repo.security.permissions.impl.model.PermissionModel",
  85 +// "org.activiti.engine.impl.cfg.ProcessEngineConfigurationImpl"
81 86 )));
82 87  
83 88 // Property names used to configure the factories
... ...
src/test/java/org/alfresco/xmlfactory/AppTest.java
... ... @@ -71,14 +71,16 @@ public class AppTest
71 71 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
72 72  
73 73 assertTrue(dbf.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
74   - assertTrue(dbf.getFeature(FactoryHelper.FEATURE_DISALLOW_DOCTYPE));
  74 +// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
  75 +// assertTrue(dbf.getFeature(FactoryHelper.FEATURE_DISALLOW_DOCTYPE));
75 76  
76 77 assertFalse(dbf.getFeature(FactoryHelper.FEATURE_EXTERNAL_GENERAL_ENTITIES));
77 78 assertFalse(dbf.getFeature(FactoryHelper.FEATURE_EXTERNAL_PARAMETER_ENTITIES));
78 79 assertFalse(dbf.getFeature(FactoryHelper.FEATURE_USE_ENTITY_RESOLVER2));
79 80 assertFalse(dbf.getFeature(FactoryHelper.FEATURE_LOAD_EXTERNAL_DTD));
80 81  
81   - assertFalse(dbf.isExpandEntityReferences());
  82 +// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
  83 +// assertFalse(dbf.isExpandEntityReferences());
82 84 assertFalse(dbf.isXIncludeAware());
83 85 }
84 86  
... ... @@ -90,7 +92,8 @@ public class AppTest
90 92 SAXParserFactory spf = SAXParserFactory.newInstance();
91 93  
92 94 assertTrue(spf.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
93   - assertTrue(spf.getFeature(FactoryHelper.FEATURE_DISALLOW_DOCTYPE));
  95 +// TODO uncomment: Having this commented out takes XmlFactory back to how it was before the latest changes
  96 +// assertTrue(spf.getFeature(FactoryHelper.FEATURE_DISALLOW_DOCTYPE));
94 97  
95 98 assertFalse(spf.getFeature(FactoryHelper.FEATURE_EXTERNAL_GENERAL_ENTITIES));
96 99 assertFalse(spf.getFeature(FactoryHelper.FEATURE_EXTERNAL_PARAMETER_ENTITIES));
... ...