Fix XXE Vulnerability in Schema Loading

simei2k · web-flow · commit cd2b6658d588 · 2025-05-11T12:06:27.000+08:00
This PR addresses a critical security vulnerability in the [loadSchema] method related to XML External Entity (XXE) attacks. By restricting access to external DTDs and schemas, we prevent potential server-side exploits. This vulnerability was also found in 3dcitydb/importer-exporter@8ab7fb6, corresponding to CVE-2018-10054 and fixed. References: 1. https://nvd.nist.gov/vuln/detail/cve-2018-10054 2. 3dcitydb/importer-exporter@8ab7fb6
diff --git a/engine/src/main/java/org/hibernate/validator/internal/xml/XmlParserHelper.java b/engine/src/main/java/org/hibernate/validator/internal/xml/XmlParserHelper.java
@@ -138,26 +138,28 @@ public Schema getSchema(String schemaResource) {
 	}
 
 	private Schema loadSchema(String schemaResource) {
-		ClassLoader loader = GetClassLoader.fromClass( XmlParserHelper.class );
-
-		URL schemaUrl = GetResource.action( loader, schemaResource );
-		SchemaFactory sf = SchemaFactory.newInstance( javax.xml.XMLConstants.W3C_XML_SCHEMA_NS_URI );
-
-		try {
-			sf.setFeature( javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true );
-		}
-		catch (SAXException e) {
-			LOG.unableToEnableSecureFeatureProcessingSchemaXml( schemaResource, e.getMessage() );
-		}
-
-		Schema schema = null;
-		try {
-			schema = NewSchema.action( sf, schemaUrl );
-		}
-		catch (Exception e) {
-			LOG.unableToCreateSchema( schemaResource, e.getMessage() );
-		}
-		return schema;
+	    ClassLoader loader = GetClassLoader.fromClass(XmlParserHelper.class);
+	
+	    URL schemaUrl = GetResource.action(loader, schemaResource);
+	    SchemaFactory sf = SchemaFactory.newInstance(javax.xml.XMLConstants.W3C_XML_SCHEMA_NS_URI);
+	    
+	    // Security improvement: Restrict access to external DTDs and schemas
+	    try {
+	        sf.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+	        sf.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+	    } catch (SAXException e) {
+	        // Some older parsers might not support these properties
+	        LOG.debug("Unable to set external access restrictions on schema factory", e);
+	    }
+	    
+	    Schema schema = null;
+	    try {
+	        schema = NewSchema.action(sf, schemaUrl);
+	    }
+	    catch (Exception e) {
+	        LOG.unableToCreateSchema(schemaResource, e.getMessage());
+	    }
+	    return schema;
 	}
 
 }
