You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SOAPPartImpl.setContent builds its XMLInputFactory with newInstance() and no other settings, so DTDs and external entities are left on.
when the Source is a StreamSource it's handed straight to that reader, so a body with a DOCTYPE + SYSTEM entity gets expanded — file:// reads or outbound URLs from the parser.
Set SUPPORT_DTD and IS_SUPPORTING_EXTERNAL_ENTITIES to false on the factory before it parses.
What happens if someone calls setContent with a StreamSource over an inbound stream? That's the documented SAAJ way to load a body, so the bytes are attacker reachable and the hardening has to live here rather than in the caller. Lines up with the recent WSDL/XSD XXE work that hardened the DOM path but didn't touch this StAX one. Added a SOAPPartTest case that points an external entity at a temp file and checks the contents never land in the message.
The fix is correct and lands in exactly the right spot. setContent(Source)
was the one SAAJ parse path that built its own XMLInputFactory and created
the reader directly, so it bypassed the DTD guard that Axiom otherwise
applies to SOAP parsing (StAXParserConfiguration.SOAP rejects any DOCTYPE).
Disabling SUPPORT_DTD here closes that gap at the root, and
IS_SUPPORTING_EXTERNAL_ENTITIES=false is good defense-in-depth on top. I
confirmed the inbound-message paths (MessageFactory.createMessage(...,
InputStream) and the MTOM branch) already route through Axiom's hardened
builder, so this was the right — and only — path that needed attention.
This also can't break a legitimate caller: SOAP 1.1 and 1.2 both prohibit
DTDs in the envelope, so a spec-compliant message never carries a DOCTYPE.
The test is well done too — pointing a SYSTEM entity at a temp file and
asserting the marker never appears in the serialized message is the right
check, and accepting either "rejected with an exception" or "not expanded"
as a pass is exactly correct.
Appreciate the clear write-up on the PR. Thanks again!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Set SUPPORT_DTD and IS_SUPPORTING_EXTERNAL_ENTITIES to false on the factory before it parses.
What happens if someone calls setContent with a StreamSource over an inbound stream? That's the documented SAAJ way to load a body, so the bytes are attacker reachable and the hardening has to live here rather than in the caller. Lines up with the recent WSDL/XSD XXE work that hardened the DOM path but didn't touch this StAX one. Added a SOAPPartTest case that points an external entity at a temp file and checks the contents never land in the message.