Merge pull request from GHSA-r2hc-pmr7-4c9r
* Configured XML parsers to resist XXE attacks Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for avmfritz Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for sonos Signed-off-by: Kai Kreuzer <kai@openhab.org> * added fix for vitotronic and bosesoundtouch Signed-off-by: Kai Kreuzer <kai@openhab.org> * changed avmfritz to singleton pattern Signed-off-by: Kai Kreuzer <kai@openhab.org> * addressed roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org> * address all uses of DocumentBuilderFactory Signed-off-by: Kai Kreuzer <kai@openhab.org> * fixed other occurrences in roku binding Signed-off-by: Kai Kreuzer <kai@openhab.org>
This commit is contained in:
Kai Kreuzer
GitHub
@@ -14,6 +14,7 @@ package org.openhab.binding.roku.internal.communication;
|
||||
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.JAXBException;
|
||||
import javax.xml.stream.XMLInputFactory;
|
||||
|
||||
import org.eclipse.jdt.annotation.NonNullByDefault;
|
||||
import org.eclipse.jdt.annotation.Nullable;
|
||||
@@ -38,6 +39,7 @@ public class JAXBUtils {
|
||||
public static final @Nullable JAXBContext JAXBCONTEXT_APPS = initJAXBContextApps();
|
||||
public static final @Nullable JAXBContext JAXBCONTEXT_DEVICE_INFO = initJAXBContextDeviceInfo();
|
||||
public static final @Nullable JAXBContext JAXBCONTEXT_PLAYER = initJAXBContextPlayer();
|
||||
public static final XMLInputFactory XMLINPUTFACTORY = initXMLInputFactory();
|
||||
|
||||
private static @Nullable JAXBContext initJAXBContextActiveApp() {
|
||||
try {
|
||||
@@ -74,4 +76,11 @@ public class JAXBUtils {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private static XMLInputFactory initXMLInputFactory() {
|
||||
XMLInputFactory xif = XMLInputFactory.newInstance();
|
||||
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
||||
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
return xif;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -20,6 +20,8 @@ import java.util.concurrent.TimeoutException;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.JAXBException;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.stream.XMLStreamException;
|
||||
import javax.xml.stream.XMLStreamReader;
|
||||
|
||||
import org.eclipse.jdt.annotation.NonNullByDefault;
|
||||
import org.eclipse.jetty.client.HttpClient;
|
||||
@@ -94,14 +96,16 @@ public class RokuCommunicator {
|
||||
if (ctx != null) {
|
||||
Unmarshaller unmarshaller = ctx.createUnmarshaller();
|
||||
if (unmarshaller != null) {
|
||||
DeviceInfo device = (DeviceInfo) unmarshaller.unmarshal(new StringReader(getCommand(urlQryDevice)));
|
||||
XMLStreamReader xsr = JAXBUtils.XMLINPUTFACTORY
|
||||
.createXMLStreamReader(new StringReader(getCommand(urlQryDevice)));
|
||||
DeviceInfo device = (DeviceInfo) unmarshaller.unmarshal(xsr);
|
||||
if (device != null) {
|
||||
return device;
|
||||
}
|
||||
}
|
||||
}
|
||||
throw new RokuHttpException("No DeviceInfo model in response");
|
||||
} catch (JAXBException e) {
|
||||
} catch (JAXBException | XMLStreamException e) {
|
||||
throw new RokuHttpException("Exception creating DeviceInfo Unmarshaller: " + e.getLocalizedMessage());
|
||||
}
|
||||
}
|
||||
@@ -118,8 +122,10 @@ public class RokuCommunicator {
|
||||
if (ctx != null) {
|
||||
Unmarshaller unmarshaller = ctx.createUnmarshaller();
|
||||
if (unmarshaller != null) {
|
||||
XMLStreamReader xsr = JAXBUtils.XMLINPUTFACTORY
|
||||
.createXMLStreamReader(new StringReader(getCommand(urlQryActiveApp)));
|
||||
ActiveApp activeApp = (ActiveApp) unmarshaller
|
||||
.unmarshal(new StringReader(getCommand(urlQryActiveApp)));
|
||||
.unmarshal(xsr));
|
||||
if (activeApp != null) {
|
||||
return activeApp;
|
||||
}
|
||||
@@ -143,14 +149,16 @@ public class RokuCommunicator {
|
||||
if (ctx != null) {
|
||||
Unmarshaller unmarshaller = ctx.createUnmarshaller();
|
||||
if (unmarshaller != null) {
|
||||
Apps appList = (Apps) unmarshaller.unmarshal(new StringReader(getCommand(urlQryApps)));
|
||||
XMLStreamReader xsr = JAXBUtils.XMLINPUTFACTORY
|
||||
.createXMLStreamReader(new StringReader(getCommand(urlQryApps)));
|
||||
Apps appList = (Apps) unmarshaller.unmarshal(xsr);
|
||||
if (appList != null) {
|
||||
return appList.getApp();
|
||||
}
|
||||
}
|
||||
}
|
||||
throw new RokuHttpException("No AppList model in response");
|
||||
} catch (JAXBException e) {
|
||||
} catch (JAXBException | XMLStreamException e) {
|
||||
throw new RokuHttpException("Exception creating AppList Unmarshaller: " + e.getLocalizedMessage());
|
||||
}
|
||||
}
|
||||
@@ -167,14 +175,16 @@ public class RokuCommunicator {
|
||||
if (ctx != null) {
|
||||
Unmarshaller unmarshaller = ctx.createUnmarshaller();
|
||||
if (unmarshaller != null) {
|
||||
Player playerInfo = (Player) unmarshaller.unmarshal(new StringReader(getCommand(urlQryPlayer)));
|
||||
XMLStreamReader xsr = JAXBUtils.XMLINPUTFACTORY
|
||||
.createXMLStreamReader(new StringReader(getCommand(urlQryPlayer)));
|
||||
Player playerInfo = (Player) unmarshaller.unmarshal(xsr);
|
||||
if (playerInfo != null) {
|
||||
return playerInfo;
|
||||
}
|
||||
}
|
||||
}
|
||||
throw new RokuHttpException("No Player info model in response");
|
||||
} catch (JAXBException e) {
|
||||
} catch (JAXBException | XMLStreamException e) {
|
||||
throw new RokuHttpException("Exception creating Player info Unmarshaller: " + e.getLocalizedMessage());
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user