Skip to content

Commit

Permalink
Merge pull request #1 from TriNetX/remove_xml_vuln
Browse files Browse the repository at this point in the history 
Fix xml vulnerability
  • Loading branch information
@GertVil
GertVil authored Jul 22, 2021
2 parents 45ca4a7 + d287446 commit c2103e3
Showing 1 changed file with 15 additions and 4 deletions.
19 changes: 15 additions & 4 deletions src/main/java/org/ohnlp/medtagger/ml/cr/transShareAnnotation.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@
import org.ohnlp.medtagger.ml.type.shareAnnotation;
import org.ohnlp.medtagger.ml.type.shareSlot;

import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.parsers.SAXParser;

Expand All @@ -52,27 +54,36 @@ public transShareAnnotation(JCas jcas) {
};

public transShareAnnotation(String str, JCas jcas) {
SAXParserFactory factory = SAXParserFactory.newInstance();
mjcas = jcas;
try {
SAXParser saxParser = factory.newSAXParser();
SAXParser saxParser = createSaxParser();
saxParser.parse(new ByteArrayInputStream(str.getBytes()), this);
} catch (Throwable t) {
t.printStackTrace();
}
}

public transShareAnnotation(File xmlfile, JCas jcas) {
SAXParserFactory factory = SAXParserFactory.newInstance();
mjcas=jcas;
try {
SAXParser saxParser = factory.newSAXParser();
SAXParser saxParser = createSaxParser();
saxParser.parse(xmlfile, this);
} catch (Throwable t) {
t.printStackTrace();
}
}

private SAXParser createSaxParser() throws ParserConfigurationException, SAXException {
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
SAXParser saxParser = factory.newSAXParser(); // Noncompliant
saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
return saxParser;
}

// ===========================================================
// SAX DocumentHandler methods
// ===========================================================
Expand Down

0 comments on commit c2103e3

Please sign in to comment.