From d08d0c215871454f89bdddb04cf46076a146e44e Mon Sep 17 00:00:00 2001
From: song-tianyang <tianyang.song@fit2cloud.com>
Date: Wed, 23 Feb 2022 14:07:36 +0800
Subject: [PATCH] =?UTF-8?q?fix(XML=E8=A7=A3=E6=9E=90=E7=9B=B8=E5=85=B3?=
 =?UTF-8?q?=E5=8A=9F=E8=83=BD):=20=E4=BF=AE=E5=A4=8D=E4=BD=BF=E7=94=A8SAXR?=
 =?UTF-8?q?eader=E5=AF=BC=E8=87=B4=E7=9A=84xxe=E6=94=BB=E5=87=BB=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

修复使用SAXReader导致的xxe攻击漏洞
---
 .../java/io/metersphere/api/service/APITestService.java   | 3 ++-
 .../performance/parse/EngineSourceParserFactory.java      | 8 ++++++++
 .../java/io/metersphere/xmind/parser/XmindLegacy.java     | 6 ++++--
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/backend/src/main/java/io/metersphere/api/service/APITestService.java b/backend/src/main/java/io/metersphere/api/service/APITestService.java
index 4405b0adb7..2ff372cf9c 100644
--- a/backend/src/main/java/io/metersphere/api/service/APITestService.java
+++ b/backend/src/main/java/io/metersphere/api/service/APITestService.java
@@ -30,6 +30,7 @@ import io.metersphere.controller.request.ScheduleRequest;
 import io.metersphere.dto.ScheduleDao;
 import io.metersphere.i18n.Translator;
 import io.metersphere.job.sechedule.ApiTestJob;
+import io.metersphere.performance.parse.EngineSourceParserFactory;
 import io.metersphere.service.FileService;
 import io.metersphere.service.ScheduleService;
 import io.metersphere.track.service.TestCaseService;
@@ -465,7 +466,7 @@ public class APITestService {
         //获取要转化的文件
         List<String> attachmentFilePathList = new ArrayList<>();
         try {
-            Document doc = DocumentHelper.parseText(jmx);// 获取可续保保单列表报文模板
+            Document doc = EngineSourceParserFactory.getDocument(new ByteArrayInputStream(jmx.getBytes("utf-8")));
             Element root = doc.getRootElement();
             Element rootHashTreeElement = root.element("hashTree");
             List<Element> innerHashTreeElementList = rootHashTreeElement.elements("hashTree");
diff --git a/backend/src/main/java/io/metersphere/performance/parse/EngineSourceParserFactory.java b/backend/src/main/java/io/metersphere/performance/parse/EngineSourceParserFactory.java
index 450e772aa6..574112b205 100644
--- a/backend/src/main/java/io/metersphere/performance/parse/EngineSourceParserFactory.java
+++ b/backend/src/main/java/io/metersphere/performance/parse/EngineSourceParserFactory.java
@@ -34,6 +34,14 @@ public class EngineSourceParserFactory {
 
     public static Document getDocument(InputStream source) throws DocumentException {
         SAXReader reader = new SAXReader();
+        try {
+            reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        }catch (Exception e){
+            LogUtil.error(e);
+        }
         if (!IS_TRANS) {
             reader.setXMLFilter(EngineSourceParserFactory.getFilter());
         }
diff --git a/backend/src/main/java/io/metersphere/xmind/parser/XmindLegacy.java b/backend/src/main/java/io/metersphere/xmind/parser/XmindLegacy.java
index 55c17cc6d3..ad140a55b4 100644
--- a/backend/src/main/java/io/metersphere/xmind/parser/XmindLegacy.java
+++ b/backend/src/main/java/io/metersphere/xmind/parser/XmindLegacy.java
@@ -1,9 +1,11 @@
 package io.metersphere.xmind.parser;
 
+import io.metersphere.performance.parse.EngineSourceParserFactory;
 import org.dom4j.*;
 import org.json.JSONObject;
 import org.json.XML;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
@@ -32,7 +34,7 @@ public class XmindLegacy {
         //去除自由风格主题
         xmlContent = xmlContent.replaceAll("<topics type=\"detached\">", "");
 
-        Document document = DocumentHelper.parseText(xmlContent);// 读取XML文件,获得document对象
+        Document document = EngineSourceParserFactory.getDocument(new ByteArrayInputStream(xmlContent.getBytes("utf-8")));// 读取XML文件,获得document对象
         Element root = document.getRootElement();
         List<Node> topics = root.selectNodes("//topic");
 
@@ -41,7 +43,7 @@ public class XmindLegacy {
             xmlComments = xmlComments.replace("xmlns=\"urn:xmind:xmap:xmlns:comments:2.0\"", "");
 
             // 添加评论到content中
-            Document commentDocument = DocumentHelper.parseText(xmlComments);
+            Document commentDocument = EngineSourceParserFactory.getDocument(new ByteArrayInputStream(xmlComments.getBytes("utf-8")));
             List<Node> commentsList = commentDocument.selectNodes("//comment");
 
             for (Node topic : topics) {