Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBob Foster2015-10-14 22:55:53 -0400
committerBob Foster2015-10-14 22:55:53 -0400
commit6362c295e80a651dcb6c7e8647984d52a974786b (patch)
tree617b1cb663e0c1e19f714793b285f8b89c607664
parent7ace3888c397a2fdcbffca5af97ebe91b288366a (diff)
downloadorg.eclipse.hudson.core-6362c295e80a651dcb6c7e8647984d52a974786b.tar.gz
org.eclipse.hudson.core-6362c295e80a651dcb6c7e8647984d52a974786b.tar.xz
org.eclipse.hudson.core-6362c295e80a651dcb6c7e8647984d52a974786b.zip
Fix Bug 479777 - XML External Entity Injection Due To Multiple Filter Bypasses
-rw-r--r--hudson-core/pom.xml2
-rw-r--r--hudson-core/src/main/java/hudson/model/Api.java20
2 files changed, 18 insertions, 4 deletions
diff --git a/hudson-core/pom.xml b/hudson-core/pom.xml
index d985822f..27da2622 100644
--- a/hudson-core/pom.xml
+++ b/hudson-core/pom.xml
@@ -496,7 +496,7 @@
<dependency>
<groupId>org.hudsonci.xpath</groupId>
<artifactId>xpath-service</artifactId>
- <version>1.0.2</version>
+ <version>1.0.3</version>
</dependency>
<dependency>
<groupId>commons-jelly</groupId>
diff --git a/hudson-core/src/main/java/hudson/model/Api.java b/hudson-core/src/main/java/hudson/model/Api.java
index ec44ec1b..24ae6c48 100644
--- a/hudson-core/src/main/java/hudson/model/Api.java
+++ b/hudson-core/src/main/java/hudson/model/Api.java
@@ -38,6 +38,7 @@ import java.io.OutputStream;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.List;
+import org.hudsonci.xpath.XFunctionFilter;
import org.hudsonci.xpath.XPathException;
/**
@@ -56,6 +57,15 @@ public class Api extends AbstractModelObject {
*/
//TODO: review and check whether we can do it private
public final Object bean;
+
+ private static class ApiFunctionFilter implements XFunctionFilter {
+ public boolean accept(String namespaceURI, String prefix, String localName) {
+ if ("document".equals(localName)) {
+ return false;
+ }
+ return true;
+ }
+ }
public Api(Object bean) {
this.bean = bean;
@@ -93,7 +103,7 @@ public class Api extends AbstractModelObject {
// first write to String
Model p = MODEL_BUILDER.get(bean.getClass());
p.writeTo(bean, depth, Flavor.XML.createDataWriter(bean, sw));
-
+
// apply XPath
Object result;
try {
@@ -102,7 +112,9 @@ public class Api extends AbstractModelObject {
// apply exclusions
if (excludes != null) {
for (String exclude : excludes) {
- List<org.dom4j.Node> list = (List<org.dom4j.Node>) new XPath(exclude).selectNodes(dom);
+ XPath ex = new XPath(exclude);
+ ex.setFunctionFilter(new ApiFunctionFilter());
+ List<org.dom4j.Node> list = (List<org.dom4j.Node>) ex.selectNodes(dom);
for (org.dom4j.Node n : list) {
Element parent = n.getParent();
if (parent != null) {
@@ -115,7 +127,9 @@ public class Api extends AbstractModelObject {
if (xpath == null) {
result = dom;
} else {
- List list = new XPath(xpath).selectNodes(dom);
+ XPath ex = new XPath(xpath);
+ ex.setFunctionFilter(new ApiFunctionFilter());
+ List list = ex.selectNodes(dom);
if (wrapper != null) {
Element root = DocumentFactory.getInstance().createElement(wrapper);
for (Object o : list) {

Back to the top