lsm/weixin-java-tools
1
0
Fork 0
mirror of https://gitee.com/binary/weixin-java-tools.git synced 2025-06-28 13:16:19 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

#889 修复一些潜在的XXE漏洞代码

Browse Source
This commit is contained in:
Binary Wang 2018-12-20 16:47:02 +08:00
parent 9b6893161a
commit 6272639f02
3 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
View File

@ -37,7 +37,9 @@ public class WxCryptUtil {
@Override @Override
protected DocumentBuilder initialValue() { protected DocumentBuilder initialValue() {
try { try {
return DocumentBuilderFactory.newInstance().newDocumentBuilder(); final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setExpandEntityReferences(false);
return factory.newDocumentBuilder();
} catch (ParserConfigurationException exc) { } catch (ParserConfigurationException exc) {
throw new IllegalArgumentException(exc); throw new IllegalArgumentException(exc);
} }

14
weixin-java-common/src/test/java/me/chanjar/weixin/common/util/crypto/WxCryptUtilTest.java
View File

@ -1,5 +1,11 @@
package me.chanjar.weixin.common.util.crypto; package me.chanjar.weixin.common.util.crypto;
import java.io.IOException;
import java.io.StringReader;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.testng.annotations.*; import org.testng.annotations.*;
import org.w3c.dom.Document; import org.w3c.dom.Document;
import org.w3c.dom.Element; import org.w3c.dom.Element;
@ -7,12 +13,6 @@ import org.w3c.dom.NodeList;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import java.io.IOException;
import java.io.StringReader;
import static org.testng.Assert.*; import static org.testng.Assert.*;
@Test @Test
@ -39,6 +39,7 @@ public class WxCryptUtilTest {
System.out.println(encryptedXml); System.out.println(encryptedXml);
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(new InputSource(new StringReader(encryptedXml))); Document document = documentBuilder.parse(new InputSource(new StringReader(encryptedXml)));
@ -81,6 +82,7 @@ public class WxCryptUtilTest {
WxCryptUtil pc = new WxCryptUtil(this.token, this.encodingAesKey, this.appId); WxCryptUtil pc = new WxCryptUtil(this.token, this.encodingAesKey, this.appId);
String afterEncrpt = pc.encrypt(this.replyMsg); String afterEncrpt = pc.encrypt(this.replyMsg);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
StringReader sr = new StringReader(afterEncrpt); StringReader sr = new StringReader(afterEncrpt);
InputSource is = new InputSource(sr); InputSource is = new InputSource(sr);

7
weixin-java-pay/src/main/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResult.java
View File

@ -27,7 +27,6 @@ import com.github.binarywang.wxpay.util.SignUtils;
import com.google.common.base.Joiner; import com.google.common.base.Joiner;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
import com.google.common.collect.Maps; import com.google.common.collect.Maps;
import com.google.gson.GsonBuilder;
import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.annotations.XStreamAlias; import com.thoughtworks.xstream.annotations.XStreamAlias;
import lombok.Data; import lombok.Data;
@ -191,9 +190,9 @@ public abstract class BaseWxPayResult implements Serializable {
} }
try { try {
this.xmlDoc = DocumentBuilderFactory final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
.newInstance() factory.setExpandEntityReferences(false);
.newDocumentBuilder() this.xmlDoc = factory.newDocumentBuilder()
.parse(new ByteArrayInputStream(this.xmlString.getBytes(StandardCharsets.UTF_8))); .parse(new ByteArrayInputStream(this.xmlString.getBytes(StandardCharsets.UTF_8)));
return xmlDoc; return xmlDoc;
} catch (SAXException | IOException | ParserConfigurationException e) { } catch (SAXException | IOException | ParserConfigurationException e) {