#903 disable DOCTYPE to fix XXE Vulnerability

2025-06-28 13:16:19 +08:00 · 2019-01-10 18:28:55 +08:00 · 2019-01-10 18:28:55 +08:00 · 8ec61d1328
commit 8ec61d1328
parent d6923f2537
4 changed files with 8 additions and 1 deletions
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
@ -39,6 +39,7 @@ public class WxCryptUtil {
      try {
        final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setExpandEntityReferences(false);
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        return factory.newDocumentBuilder();
      } catch (ParserConfigurationException exc) {
        throw new IllegalArgumentException(exc);
--- a/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/crypto/WxCryptUtilTest.java
+++ b/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/crypto/WxCryptUtilTest.java
@ -40,6 +40,7 @@ public class WxCryptUtilTest {
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setExpandEntityReferences(false);
    documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
    Document document = documentBuilder.parse(new InputSource(new StringReader(encryptedXml)));
@ -83,6 +84,8 @@ public class WxCryptUtilTest {
      String afterEncrpt = pc.encrypt(this.replyMsg);
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      dbf.setExpandEntityReferences(false);
      dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
      DocumentBuilder db = dbf.newDocumentBuilder();
      StringReader sr = new StringReader(afterEncrpt);
      InputSource is = new InputSource(sr);
--- a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResult.java
+++ b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResult.java
@ -189,6 +189,7 @@ public abstract class BaseWxPayResult implements Serializable {
    try {
      final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
      factory.setExpandEntityReferences(false);
      factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
      this.xmlDoc = factory.newDocumentBuilder()
        .parse(new ByteArrayInputStream(this.xmlString.getBytes(StandardCharsets.UTF_8)));
      return xmlDoc;
--- a/weixin-java-pay/src/test/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResultTest.java
+++ b/weixin-java-pay/src/test/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResultTest.java
@ -75,7 +75,9 @@ public class BaseWxPayResultTest {
  @Test(expectedExceptions = {RuntimeException.class})
  public void testToMap_with_empty_xmlString() {
    WxPayOrderQueryResult result = new WxPayOrderQueryResult();
-    result.setXmlString(" ");
+    result.setXmlString( "<?xml version=\"1.0\" ?><!DOCTYPE doc " +
      "[<!ENTITY win SYSTEM \"file:///C:/Users/user/Documents/testdata2.txt\">]" +
      "><doc>&win;</doc>");
    Map<String, String> map = result.toMap();
    System.out.println(map);
  }