mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
23 lines
1.1 KiB
Java
23 lines
1.1 KiB
Java
// Safe counterpart to UnsafeLog4jConfig.java: DOMConfigurator-style XML
|
|
// config loader, hardened by setting FEATURE_SECURE_PROCESSING + the
|
|
// disallow-doctype-decl feature on the factory before the builder is
|
|
// produced. The xml_config sidecar records the hardening fact on the
|
|
// factory's SSA value, propagates it to the builder via
|
|
// `newDocumentBuilder()`, and the parse sink suppresses the XXE bit.
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.xml.XMLConstants;
|
|
import javax.xml.parsers.DocumentBuilder;
|
|
import javax.xml.parsers.DocumentBuilderFactory;
|
|
import org.w3c.dom.Document;
|
|
import java.io.File;
|
|
|
|
public class SafeLog4jConfig {
|
|
public Document loadConfig(HttpServletRequest req) throws Exception {
|
|
String configPath = req.getParameter("config");
|
|
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
|
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
DocumentBuilder builder = factory.newDocumentBuilder();
|
|
return builder.parse(new File(configPath));
|
|
}
|
|
}
|