hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-10 17:29:26 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
28c090688602dce434dede48db997ccd2ca7a1b1
codeql/java/ql/src/Security/CWE/CWE-074/XsltInjection.java
Tony Torralba c792567904 Move from experimental
2021-09-27 11:57:53 +02:00

18 lines
810 B
Java
Raw Blame History

import javax.xml.XMLConstants;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
public void transform(Socket socket, String inputXml) throws Exception {
StreamSource xslt = new StreamSource(socket.getInputStream());
StreamSource xml = new StreamSource(new StringReader(inputXml));
StringWriter result = new StringWriter();
TransformerFactory factory = TransformerFactory.newInstance();
// BAD: User provided XSLT stylesheet is processed
factory.newTransformer(xslt).transform(xml, new StreamResult(result));
// GOOD: The secure processing mode is enabled
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.newTransformer(xslt).transform(xml, new StreamResult(result));
}
Reference in New Issue View Git Blame Copy Permalink