CVE-2021-33813 - issue

Question

CVE-2021-33813 - issue

coolmg opened this issue 3 years ago · comments

Hi,

I have written sample code using the latest JDOM 2.0.6.1 version. But I still see the issue
Please see my code and suggest the solution for it.

String xmlParam =
            "<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY bar \"World \"> <!ENTITY t1 \"&bar;&bar;\"><!ENTITY t2 \"&t1;&t1;&t1;&t1;\">  <!ENTITY t3 \"&t2;&t2;&t2;&t2;&t2;\">]><foo>Hello &t3;</foo>";

@GetMapping("/testxml") public String test_SAXBuilder() throws IOException {
String xmlParam =
" ]>Hello &t3;";

    String result = null;
    try {
        // disallow-doctype-decl is set to true and after parsing will hold value true
        SAXBuilder builder = new SAXBuilder();
        Document doc = builder.build(new InputSource(new StringReader(xmlParam)));
        String s = "";
        for (Object content1 : doc.getContent()) {
            Content content = (Content) content1;
            s += content.getValue();
        }
        result = s;
    } catch (JDOMException e) {
    }
    return result;
}

Output:
Hello World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World

coolmg commented 3 years ago

Thanks

Jason Hunter · Answer 1 · Wed Jan 19 2022 11:26:42 GMT+0800 (China Standard Time)

Where are you actually changing the SAX parser settings?

coolmg · Answer 2 · Sat Jan 22 2022 16:53:40 GMT+0800 (China Standard Time)

No seethings added, above one is complete code.
Do we need to add any extra code to fix it?

Jason Hunter · Answer 3 · Sun Jan 23 2022 02:09:52 GMT+0800 (China Standard Time)

builder.setExpandEntities(false) will stop external entity expansion