An XXE issue exists with the way xmlReader is used in the SAXDecoder class.
public class SAXDecoder implements Decoder {
private final Map<Type, ContentHandlerWithResult.Factory<?>> handlerFactories;
private SAXDecoder(Map<Type, ContentHandlerWithResult.Factory<?>> handlerFactories) {
this.handlerFactories = handlerFactories;
}
public static Builder builder() {
return new Builder();
}
@Override
public Object decode(Response response, Type type) throws IOException, DecodeException {
if (response.status() == 404) return Util.emptyValueOf(type);
if (response.body() == null) return null;
ContentHandlerWithResult.Factory<?> handlerFactory = handlerFactories.get(type);
checkState(handlerFactory != null, "type %s not in configured handlers %s", type,
handlerFactories.keySet());
ContentHandlerWithResult<?> handler = handlerFactory.create();
try {
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/namespaces", false);
xmlReader.setFeature("http://xml.org/sax/features/validation", false);
xmlReader.setContentHandler(handler); **// XXE**
InputStream inputStream = response.body().asInputStream();
try {
xmlReader.parse(new InputSource(inputStream));
} finally {
ensureClosed(inputStream);
}
return handler.result();
} catch (SAXException e) {
throw new DecodeException(e.getMessage(), e);
}
}
An XXE issue exists with the way xmlReader is used in the SAXDecoder class.
Recommendation: Consider setting the following three features to false