jiazhizhong/crmeb_java
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修复 XML 有可能出现的注入风险

Browse Source
This commit is contained in:
daZongZi
2025-01-17 18:15:00 +08:00
parent 451c9587c0
commit b0678e772f
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
crmeb/crmeb-common/src/main/java/com/zbkj/common/utils/XmlUtil.java
View File

@@ -12,6 +12,7 @@ import org.w3c.dom.Node;
import org.w3c.dom.NodeList; import org.w3c.dom.NodeList;
import org.w3c.dom.Text; import org.w3c.dom.Text;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
@@ -46,13 +47,14 @@ public class XmlUtil {
InputStream in = null; InputStream in = null;
try { try {
in = request.getInputStream(); in = request.getInputStream();
setReaderFeature(reader);
Document doc = reader.read(in); Document doc = reader.read(in);
Element root = doc.getRootElement(); Element root = doc.getRootElement();
List<Element> list = root.elements(); List<Element> list = root.elements();
for (Element element : list) { for (Element element : list) {
map.put(element.getName(), element.getText()); map.put(element.getName(), element.getText());
} }
} catch (IOException | DocumentException e) { } catch (IOException | DocumentException | SAXException e) {
e.printStackTrace(); e.printStackTrace();
} finally { } finally {
try { try {
@@ -91,6 +93,12 @@ public class XmlUtil {
// return map; // return map;
// } // }
public static void setReaderFeature(SAXReader reader) throws SAXException {
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
}
public static HashMap<String, Object> xmlToMap(String strxml) { public static HashMap<String, Object> xmlToMap(String strxml) {
strxml = strxml.replaceFirst("encoding=\".*\"", "encoding=\"UTF-8\""); strxml = strxml.replaceFirst("encoding=\".*\"", "encoding=\"UTF-8\"");