added fix for xml parser vulnerability

aws-amplify · Dec 2, 2022 · 7017568 · 7017568
1 parent ba4a3ae
commit 7017568
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/regions/RegionMetadataParser.java b/aws-android-sdk-core/src/main/java/com/amazonaws/regions/RegionMetadataParser.java
@@ -112,6 +112,7 @@ private static List<Region> internalParse(
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
             factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             factory.setXIncludeAware(false);
+            factory.setExpandEntityReferences(false);
             DocumentBuilder documentBuilder = factory.newDocumentBuilder();
             document = documentBuilder.parse(input);
 

diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java b/aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java
@@ -57,6 +57,7 @@ private static DocumentBuilderFactory getDocumentBuilderFactory() {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             dbf.setXIncludeAware(false); // Default false for java 8. Disable XML Inclusions leading to SSRF - https://portswigger.net/web-security/xxe/lab-xinclude-attack
+            dbf.setExpandEntityReferences(false);
             return dbf;
         }
         catch (ParserConfigurationException exception){