DocumentBuilderFactory limiting (#5797)

2026-03-04 02:20:19 +01:00 · 2026-02-25 17:25:31 +00:00
parent c9e7d9d6c9
commit 9438b8db29
3 changed files with 6 additions and 2 deletions
--- a/app/common/src/main/java/stirling/software/common/util/SvgSanitizer.java
+++ b/app/common/src/main/java/stirling/software/common/util/SvgSanitizer.java
@@ -86,7 +86,7 @@ public class SvgSanitizer {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
--- a/app/core/src/main/java/stirling/software/SPDF/service/CertificateValidationService.java
+++ b/app/core/src/main/java/stirling/software/SPDF/service/CertificateValidationService.java
@@ -612,9 +612,11 @@ public class CertificateValidationService {
     */
    private int parseSecuritySettingsXML(InputStream xmlStream) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        factory.setXIncludeAware(false);
        factory.setExpandEntityReferences(false);

@@ -838,9 +840,11 @@ public class CertificateValidationService {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setNamespaceAware(true);
        // Secure processing hardening
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        factory.setXIncludeAware(false);
        factory.setExpandEntityReferences(false);
        return factory;
--- a/testing/cucumber/features/steps/step_definitions.py
+++ b/testing/cucumber/features/steps/step_definitions.py
@@ -292,7 +292,7 @@ def step_encrypt_pdf(context, password):

@given("the request data is")
 def step_request_data(context):
-    context.request_data = eval(context.text)
+    context.request_data = json_module.loads(context.text)


@given("the request data includes")