From 4bd943cae3039c51c3f54de9cd76abbfb647666b Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Fri, 24 Sep 2021 14:15:26 -0400 Subject: [PATCH] fix(jruby): SAX parser uses an entity resolver to avoid XXE injections. This behavior now matches the CRuby implementation. --- ext/java/nokogiri/XmlSaxParserContext.java | 1 + test/xml/sax/test_parser.rb | 33 ++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/ext/java/nokogiri/XmlSaxParserContext.java b/ext/java/nokogiri/XmlSaxParserContext.java index b92538c76a..573c069740 100644 --- a/ext/java/nokogiri/XmlSaxParserContext.java +++ b/ext/java/nokogiri/XmlSaxParserContext.java @@ -225,6 +225,7 @@ public class XmlSaxParserContext extends ParserContext preParse(runtime, handlerRuby, handler); parser.setContentHandler(handler); parser.setErrorHandler(handler); + parser.setEntityResolver(new NokogiriEntityResolver(runtime, errorHandler, options)); try { parser.setProperty("http://xml.org/sax/properties/lexical-handler", handler); diff --git a/test/xml/sax/test_parser.rb b/test/xml/sax/test_parser.rb index 69f16d66d2..1a54ff638b 100644 --- a/test/xml/sax/test_parser.rb +++ b/test/xml/sax/test_parser.rb @@ -426,5 +426,38 @@ def call_parse_io_with_encoding(encoding) assert_predicate(handler.errors, :empty?) end + + it "does not resolve entities by default" do + xml = <<~EOF + + + + ]> + &local;&custom; + EOF + + doc = Doc.new + parser = Nokogiri::XML::SAX::Parser.new(doc) + parser.parse(xml) + + assert_nil(doc.data) + end + + it "does not resolve network external entities by default" do + xml = <<~EOF + + + ]> + &remote; + EOF + + doc = Doc.new + parser = Nokogiri::XML::SAX::Parser.new(doc) + parser.parse(xml) + + assert_nil(doc.data) + end end end