Skip to content

Commit ccc4164

Browse files
RuffaloLavoisierRuffaloLavoisier
authored
fix: harden XML parser in FileTypeDetector against XML bomb DoS (PR #2851)
1 parent b61642a commit ccc4164

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

jadx-core/src/main/java/jadx/core/deobf/FileTypeDetector.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,9 +83,12 @@ public static String detectFileExtension(byte[] data) {
8383
try {
8484
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
8585
factory.setNamespaceAware(true);
86+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
8687
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
8788
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
8889
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
90+
factory.setXIncludeAware(false);
91+
factory.setExpandEntityReferences(false);
8992

9093
DocumentBuilder builder = factory.newDocumentBuilder();
9194
Document doc = builder.parse(new java.io.ByteArrayInputStream(data));

0 commit comments

Comments
 (0)