UPnP: Disable external entities in XML parser

router/java/src/org/cybergarage/xml/parser/JaxpParser.java

@@ -21,18 +21,21 @@
 
 package org.cybergarage.xml.parser;
 
+import java.io.ByteArrayInputStream;
 import java.io.FilterInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 
 import org.cybergarage.xml.Node;
 import org.cybergarage.xml.Parser;
 import org.cybergarage.xml.ParserException;
 import org.w3c.dom.Document;
 import org.w3c.dom.NamedNodeMap;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 
 
@@ -116,8 +119,25 @@ public class JaxpParser extends Parser
 		org.cybergarage.xml.Node root = null;
 		
 		try {
+			// https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
 			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+			factory.setValidating(false);
+			factory.setNamespaceAware(true);
+			factory.setExpandEntityReferences(false);
+			try {
+			    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			} catch (ParserConfigurationException pce) {}
+			try {
+			    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			} catch (ParserConfigurationException pce) {}
+			try {
+			    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			} catch (ParserConfigurationException pce) {}
+			try {
+			    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			} catch (ParserConfigurationException pce) {}
 			DocumentBuilder builder = factory.newDocumentBuilder();
+			builder.setEntityResolver(new BlankingResolver());
 			InputSource inSrc = new InputSource(new NullFilterInputStream(inStream));
 			Document doc = builder.parse(inSrc);
 
@@ -163,4 +183,16 @@ public class JaxpParser extends Parser
 			return rv;
 		}
 	}
+
+	/**
+	 *  I2P -
+	 *  http://stackoverflow.com/questions/5883542/disable-xml-validation-based-on-external-dtd-xsd
+	 */
+	private static class BlankingResolver implements EntityResolver {
+                private static final byte[] DUMMY = new byte[0];
+
+		public InputSource resolveEntity(String arg0, String arg1) {
+			return new InputSource(new ByteArrayInputStream(DUMMY));
+		}
+	}
 }