Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent XXE injection when parsing XML #602

Merged
merged 1 commit into from
Jul 19, 2023
Merged

Prevent XXE injection when parsing XML #602

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion play-ws-standalone-xml/src/main/scala/play/api/libs/ws/XMLBodyReadables.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ trait XMLBodyReadables {
* }}}
*/
implicit val readableAsXml: BodyReadable[Elem] = BodyReadable { response =>
xml.XML.load(new InputSource(new ByteArrayInputStream(response.bodyAsBytes.toArray)))
XML.parser.load(new InputSource(new ByteArrayInputStream(response.bodyAsBytes.toArray)))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand how that fix the issue?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xml.XML.load initializes the default Scala XML parser without security configuration, while XML.parser calls the XML parser defined in https://github.com/playframework/play-ws/blob/main/play-ws-standalone-xml/src/main/scala/play/api/libs/ws/XML.scala. That parser sets a non-default SAX parser that prevents XML injection.

}

}
Expand Down