jdom开源包存在XXE漏洞

在java的开源包中,jdom算是比较著名的XML文件解析包,7月2日有人报出微信支付回调的XXE漏洞,本质上就是解析xml文件时,访问了外部网站。

所以修复办法也很简单,对XML文件解析要禁用访问外部网站的功能,微信给出的解决方案请戳 这里 。代码片断如下:

1
2
3
4
5
6
7
8
9
10
11
12
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);

return documentBuilderFactory.newDocumentBuilder();
}

不过这个办法,在jdom中是无用的,也就是说jdom一直都存在这个漏洞。废话不多说,请看如下源代码片段。

类org.jdom.input.SAXBuilder的createParser方法

1
2
3
4
Class factoryClass = Class.forName("org.jdom.input.JAXPParserFactory");
Method createParser = factoryClass.getMethod("createParser", Boolean.TYPE, class$java$util$Map == null ? (class$java$util$Map = class$("java.util.Map")) : class$java$util$Map, class$java$util$Map == null ? (class$java$util$Map = class$("java.util.Map")) : class$java$util$Map);
parser = (XMLReader)createParser.invoke((Object)null, new Boolean(this.validate), this.features, this.properties);
this.setFeaturesAndProperties(parser, false);

再看JAXPParserFactory的createParser,坑爹的是这个方法传了参数features后,居然没有用到。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
public static XMLReader createParser(boolean validating, Map features, Map properties) throws JDOMException {
try {
SAXParser parser = null;
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setValidating(validating);
factory.setNamespaceAware(true);

try {
parser = factory.newSAXParser();
} catch (ParserConfigurationException var6) {
throw new JDOMException("Could not allocate JAXP SAX Parser", var6);
}

setProperty(parser, properties, "http://java.sun.com/xml/jaxp/properties/schemaLanguage");
setProperty(parser, properties, "http://java.sun.com/xml/jaxp/properties/schemaSource");
return parser.getXMLReader();
} catch (SAXException var7) {
throw new JDOMException("Could not allocate JAXP SAX Parser", var7);
}
}

参考资料:

https://www.jianshu.com/p/960f0b4629b3
http://www.cnblogs.com/kismetv/archive/2018/07/05/9266224.html
https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5