Prevent XML External Entities vulnerability in CurrenctyConverter module.

2020-03-18 15:47:51 -07:00 · 2020-03-18 15:47:51 -07:00 · 4aa8cc2df6
commit 4aa8cc2df6
parent acc7c42112
6 changed files with 16 additions and 12 deletions
--- a/src/main/java/net/thauvin/erik/mobibot/modules/CurrencyConverter.java
+++ b/src/main/java/net/thauvin/erik/mobibot/modules/CurrencyConverter.java
@ -47,6 +47,7 @@ import org.jdom2.JDOMException;
 import org.jdom2.Namespace;
 import org.jdom2.input.SAXBuilder;

+import javax.xml.XMLConstants;
 import java.io.IOException;
 import java.net.URL;
 import java.text.NumberFormat;
@ -137,6 +138,9 @@ public final class CurrencyConverter extends ThreadedModule {
        if (EXCHANGE_RATES.isEmpty()) {
            try {
                final SAXBuilder builder = new SAXBuilder();
+                // See https://rules.sonarsource.com/java/tag/owasp/RSPEC-2755
+                builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
                builder.setIgnoringElementContentWhitespace(true);

                final Document doc = builder.build(new URL(EXCHANGE_TABLE_URL));