apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

new capacity bits (#67)

Browse source
This commit is contained in:
Eli Peter 2026-05-07 01:29:31 -04:00 committed by GitHub
parent afaffc0df6
commit 7d0e7320e2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
261 changed files with 10591 additions and 231 deletions
Download patch file Download diff file Expand all files Collapse all files

23
tests/fixtures/xxe/java/SafeLog4jConfig.java vendored Normal file
View file

@ -0,0 +1,23 @@
// Safe counterpart to UnsafeLog4jConfig.java: DOMConfigurator-style XML
// config loader, hardened by setting FEATURE_SECURE_PROCESSING + the
// disallow-doctype-decl feature on the factory before the builder is
// produced. The xml_config sidecar records the hardening fact on the
// factory's SSA value, propagates it to the builder via
// `newDocumentBuilder()`, and the parse sink suppresses the XXE bit.
import javax.servlet.http.HttpServletRequest;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import java.io.File;
public class SafeLog4jConfig {
public Document loadConfig(HttpServletRequest req) throws Exception {
String configPath = req.getParameter("config");
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(new File(configPath));
}
}