Fixed possible XXE vulnerability in media API operations

calne-ca · Jul 27, 2024 · 48c5256 · 48c5256
1 parent 5c4fb5f
commit 48c5256
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,7 +15,8 @@
 
 ### Fixed
 
-- Fixed incompatibility with time-zoned date time strings in created/starred fields
+- Incompatibility with time-zoned date time strings in created/starred fields
+- Possible XXE vulnerability in media API operations
 
 ## [0.3.0] - 2021-09-26
 

diff --git a/src/main/java/net/beardbot/subsonic/client/utils/JaxbUtil.java b/src/main/java/net/beardbot/subsonic/client/utils/JaxbUtil.java
@@ -33,9 +33,24 @@
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class JaxbUtil {
 
+    private static final XMLInputFactory inputFactory = createInputFactory();
+    private static final Unmarshaller unmarshaller = createUnmarshaller();
+
     @SneakyThrows
     public static <T> T unmarshall(InputStream xmlStream, Class<T> clazz){
-        Unmarshaller unmarshaller = JAXBContext.newInstance(ObjectFactory.class).createUnmarshaller();
-        return (T) unmarshaller.unmarshal(xmlStream);
+        var reader = inputFactory.createXMLStreamReader(xmlStream);
+        return (T) unmarshaller.unmarshal(reader);
+    }
+
+    private static XMLInputFactory createInputFactory() {
+        var xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        return xif;
+    }
+
+    @SneakyThrows
+    private static Unmarshaller createUnmarshaller() {
+        return JAXBContext.newInstance(ObjectFactory.class).createUnmarshaller();
     }
 }