erik/mobibot
erik/mobibot
1
1
Fork 0
Code Issues Releases Activity

Prevent XML External Entities vulnerability in CurrenctyConverter module.

Browse source
This commit is contained in:
Erik C. Thauvin 2020-03-18 15:47:51 -07:00
parent acc7c42112
commit 4aa8cc2df6
6 changed files with 16 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/generated/java/net/thauvin/erik/mobibot/ReleaseInfo.java
View file

@ -14,13 +14,13 @@ import java.time.*;
public final class ReleaseInfo {
public static final String PROJECT = "mobibot";
public static final LocalDateTime BUILDDATE =
LocalDateTime.ofInstant(Instant.ofEpochMilli(1584495033449L), ZoneId.systemDefault());
LocalDateTime.ofInstant(Instant.ofEpochMilli(1584571512171L), ZoneId.systemDefault());
public static final int MAJOR = 0;
public static final int MINOR = 7;
public static final int PATCH = 3;
public static final String PRERELEASE = "beta";
public static final String BUILDMETA = "566";
public static final String VERSION = "0.7.3-beta+566";
public static final String BUILDMETA = "579";
public static final String VERSION = "0.7.3-beta+579";
/**
* Disables the default constructor.

4
src/main/java/net/thauvin/erik/mobibot/modules/CurrencyConverter.java
View file

@ -47,6 +47,7 @@ import org.jdom2.JDOMException;
import org.jdom2.Namespace;
import org.jdom2.input.SAXBuilder;
import javax.xml.XMLConstants;
import java.io.IOException;
import java.net.URL;
import java.text.NumberFormat;
@ -137,6 +138,9 @@ public final class CurrencyConverter extends ThreadedModule {
if (EXCHANGE_RATES.isEmpty()) {
try {
final SAXBuilder builder = new SAXBuilder();
// See https://rules.sonarsource.com/java/tag/owasp/RSPEC-2755
builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
builder.setIgnoringElementContentWhitespace(true);
final Document doc = builder.build(new URL(EXCHANGE_TABLE_URL));