From 00275a011b350c82e924c76c6214cde03d1f8a20 Mon Sep 17 00:00:00 2001 From: jinsongzhou Date: Wed, 11 Mar 2026 17:55:44 +0800 Subject: [PATCH] [Security] Disable external entity processing in XML upload to prevent XXE When uploading XML configuration files (e.g. core-site.xml, hdfs-site.xml), the uploaded bytes are parsed by Hadoop's Configuration.addResource(). Although the current classpath includes Woodstox (which does not expand external entities by default), this implicit protection is fragile and can silently break if dependencies change. This patch explicitly disables external entity processing using a hardened XMLInputFactory before delegating to Hadoop Configuration, ensuring XXE protection regardless of the underlying XML parser implementation. Changes: - Pre-validate the XML stream with XMLInputFactory configured to: - IS_SUPPORTING_EXTERNAL_ENTITIES = false - SUPPORT_DTD = false - FEATURE_SECURE_PROCESSING = true - Switch to Configuration(false) to avoid loading default Hadoop configs --- .../controller/PlatformFileInfoController.java | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java b/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java index b3e4689901..cb67c629c3 100644 --- a/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java +++ b/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java @@ -34,6 +34,9 @@ import java.util.HashMap; import java.util.Map; +import javax.xml.XMLConstants; +import javax.xml.stream.XMLInputFactory; + /** The controller that handles file requests. */ public class PlatformFileInfoController { @@ -52,7 +55,15 @@ public void uploadFile(Context ctx) throws IOException { // validate xml config if (name.toLowerCase().endsWith(".xml")) { try { - Configuration configuration = new Configuration(); + // Explicitly disable external entity processing to prevent XXE attacks, + // regardless of the underlying XML parser implementation on the classpath. + XMLInputFactory xif = XMLInputFactory.newInstance(); + xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); + xif.setProperty(XMLConstants.FEATURE_SECURE_PROCESSING, true); + xif.createXMLStreamReader(new ByteArrayInputStream(bytes)).close(); + + Configuration configuration = new Configuration(false); configuration.addResource(new ByteArrayInputStream(bytes)); configuration.setDeprecatedProperties(); } catch (Exception e) {