#889 修复一些潜在的XXE漏洞代码

2025-09-19 18:22:27 +08:00 · 2018-12-20 16:47:02 +08:00
parent 9b6893161a
commit 6272639f02
3 changed files with 14 additions and 11 deletions
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
@@ -37,7 +37,9 @@ public class WxCryptUtil {
    @Override
    protected DocumentBuilder initialValue() {
      try {
-        return DocumentBuilderFactory.newInstance().newDocumentBuilder();
+        final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setExpandEntityReferences(false);
+        return factory.newDocumentBuilder();
      } catch (ParserConfigurationException exc) {
        throw new IllegalArgumentException(exc);
      }
--- a/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/crypto/WxCryptUtilTest.java
+++ b/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/crypto/WxCryptUtilTest.java
@@ -1,5 +1,11 @@
 package me.chanjar.weixin.common.util.crypto;

+import java.io.IOException;
+import java.io.StringReader;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
 import org.testng.annotations.*;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -7,12 +13,6 @@ import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;

-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import java.io.IOException;
-import java.io.StringReader;
-
 import static org.testng.Assert.*;

@Test
@@ -39,6 +39,7 @@ public class WxCryptUtilTest {
    System.out.println(encryptedXml);

    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+    documentBuilderFactory.setExpandEntityReferences(false);
    DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
    Document document = documentBuilder.parse(new InputSource(new StringReader(encryptedXml)));

@@ -81,6 +82,7 @@ public class WxCryptUtilTest {
      WxCryptUtil pc = new WxCryptUtil(this.token, this.encodingAesKey, this.appId);
      String afterEncrpt = pc.encrypt(this.replyMsg);
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setExpandEntityReferences(false);
      DocumentBuilder db = dbf.newDocumentBuilder();
      StringReader sr = new StringReader(afterEncrpt);
      InputSource is = new InputSource(sr);