jessikitty/jadx
1
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects Releases Wiki Activity

fix: harden XML parser in FileTypeDetector against XML bomb DoS (PR #2851)

Browse Source
This commit is contained in:
Ruffalo Lavoisier
2026-04-15 03:15:34 +09:00
committed by GitHub
parent b61642a646
commit ccc4164d54
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jadx-core/src/main/java/jadx/core/deobf/FileTypeDetector.java
+3
View File
@@ -83,9 +83,12 @@ public class FileTypeDetector {
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new java.io.ByteArrayInputStream(data));