Merge pull request from GHSA-r2hc-pmr7-4c9r

* Configured XML parsers to resist XXE attacks Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for avmfritz Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for sonos Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for vitotronic and bosesoundtouch Signed-off-by: Kai Kreuzer <kai@openhab.org> * changed avmfritz to singleton pattern Signed-off-by: Kai Kreuzer <kai@openhab.org> * addressed roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org> * address all uses of DocumentBuilderFactory Signed-off-by: Kai Kreuzer <kai@openhab.org> * fixed other occurrences in roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org>
2021-01-24 15:06:00 +01:00
parent 5682292c0b
commit b0a15b48a3
33 changed files with 235 additions and 34 deletions
--- a/bundles/org.openhab.binding.hpprinter/src/main/java/org/openhab/binding/hpprinter/internal/api/HPWebServerClient.java
+++ b/bundles/org.openhab.binding.hpprinter/src/main/java/org/openhab/binding/hpprinter/internal/api/HPWebServerClient.java
@@ -50,7 +50,7 @@ public class HPWebServerClient {

    /**
     * Creates a new HP Web Server Client object.
-     * 
+     *
     * @param httpClient {HttpClient} The HttpClient to use for HTTP requests.
     * @param address The address for the Embedded Web Server.
     */
@@ -63,7 +63,7 @@ public class HPWebServerClient {

    /**
     * Gets the Status information from the Embedded Web Server.
-     * 
+     *
     * @return The status information.
     */
    public HPServerResult<HPStatus> getStatus() {
@@ -84,7 +84,7 @@ public class HPWebServerClient {

    /**
     * Gets the Usage information from the Embedded Web Server.
-     * 
+     *
     * @return The usage information.
     */
    public HPServerResult<HPUsage> getUsage() {
@@ -120,6 +120,12 @@ public class HPWebServerClient {

    private synchronized Document getDocument(String contentAsString)
            throws ParserConfigurationException, SAXException, IOException {
+        // see https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        factory.setXIncludeAware(false);
+        factory.setExpandEntityReferences(false);
        DocumentBuilder builder = factory.newDocumentBuilder();
        InputSource source = new InputSource(new StringReader(contentAsString));
        return builder.parse(source);