🐛 Use safer defaults for xml parser.

2025-03-20 19:51:23 -05:00 · 2021-04-06 17:07:05 +02:00 · 2021-04-06 17:07:05 +02:00 · 4f20d22a4f
commit 4f20d22a4f
parent 94a294e147
4 changed files with 17 additions and 6 deletions
--- a/backend/src/app/http.clj
+++ b/backend/src/app/http.clj
@ -137,7 +137,7 @@
                          [middleware/errors errors/handle]
                          [middleware/cookies]]}

-     ["/svg" {:post svgparse}]
+     ["/svg/parse" {:post svgparse}]
     ["/feedback" {:middleware [(:middleware session)]
                   :post feedback}]

--- a/backend/src/app/svgparse.clj
+++ b/backend/src/app/svgparse.clj
@ -12,6 +12,7 @@
   [app.common.exceptions :as ex]
   [app.metrics :as mtx]
   [clojure.spec.alpha :as s]
+   [clojure.tools.logging :as log]
   [clojure.xml :as xml]
   [integrant.core :as ig])
  (:import
@ -45,14 +46,24 @@
  {:status 200
   :body (process-request body)})

+(defn secure-factory
+  [s ch]
+  (.. (doto (javax.xml.parsers.SAXParserFactory/newInstance)
+        (.setFeature javax.xml.XMLConstants/FEATURE_SECURE_PROCESSING true)
+        (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" true))
+      (newSAXParser)
+      (parse s ch)))
+
 (defn parse
  [data]
  (try
    (with-open [istream (IOUtils/toInputStream data "UTF-8")]
-      (xml/parse istream))
-    (catch Exception _e
+      (xml/parse istream secure-factory))
+    (catch Exception e
+      (log/warnf "error on processing svg: %s" (ex-message e))
      (ex/raise :type :validation
-                :code :invalid-svg-file))))
+                :code :invalid-svg-file
+                :cause e))))

 (defn process-request
  [body]
--- a/frontend/src/app/main/data/workspace/persistence.cljs
+++ b/frontend/src/app/main/data/workspace/persistence.cljs
@ -396,7 +396,7 @@

 (defn parse-svg [[name text]]
  (->> (http/send! {:method :post
-                    :uri "/api/svg"
+                    :uri "/api/svg/parse"
                    :headers {"content-type" "image/svg+xml"}
                    :body text})
       (rx/map (fn [{:keys [status body]}]
--- a/frontend/src/app/main/repo.cljs
+++ b/frontend/src/app/main/repo.cljs
@ -5,7 +5,7 @@
 ;; This Source Code Form is "Incompatible With Secondary Licenses", as
 ;; defined by the Mozilla Public License, v. 2.0.
 ;;
-;; Copyright (c) 2020 UXBOX Labs SL
+;; Copyright (c) UXBOX Labs SL

 (ns app.main.repo
  (:require