fix(XXE漏洞修复): XXE漏洞修复

2025-12-17 00:15:55 +08:00 · 2025-11-20 11:23:29 +08:00
parent d56c600643
commit 5058e2edc7
6 changed files with 41 additions and 43 deletions
--- a/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstractHandler.java
+++ b/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstractHandler.java
@@ -12,6 +12,7 @@ import org.dom4j.Element;
 import org.dom4j.io.SAXReader;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
+import org.xml.sax.SAXException;

 import javax.sip.*;
 import javax.sip.header.FromHeader;
@@ -105,15 +106,18 @@ public abstract class ReqAbstractHandler {
        return response;
    }

-    public Element getRootElement(RequestEvent evt) throws DocumentException {
+    public Element getRootElement(RequestEvent evt) throws DocumentException, SAXException {
        return getRootElement(evt, "gb2312");
    }
-    public Element getRootElement(RequestEvent evt, String charset) throws DocumentException {
+    public Element getRootElement(RequestEvent evt, String charset) throws DocumentException, SAXException {
        if (charset == null) {
            charset = "gb2312";
        }
        Request request = evt.getRequest();
        SAXReader reader = new SAXReader();
+        reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        reader.setEncoding(charset);
        // 对海康出现的未转义字符做处理。
        String[] destStrArray = new String[]{"&lt;","&gt;","&amp;","&apos;","&quot;"};
--- a/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/message/MessageRequestProcessor.java
+++ b/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/message/MessageRequestProcessor.java
@@ -7,6 +7,7 @@ import com.fastbee.sip.server.IGBListener;
 import com.fastbee.sip.service.ISipDeviceService;
 import com.fastbee.sip.util.SipUtil;
 import gov.nist.javax.sip.message.SIPRequest;
+import org.xml.sax.SAXException;
 import lombok.extern.slf4j.Slf4j;
 import org.dom4j.DocumentException;
 import org.dom4j.Element;
@@ -85,7 +86,7 @@ public class MessageRequestProcessor extends ReqAbstractHandler implements Initi
            log.warn("SIP 回复错误", e);
        } catch (InvalidArgumentException e) {
            log.warn("参数无效", e);
-        } catch (ParseException e) {
+        } catch (ParseException | SAXException e) {
            log.warn("SIP回复时解析异常", e);
        }
    }
--- a/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/message/notify/cmdType/KeepaliveHandler.java
+++ b/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/message/notify/cmdType/KeepaliveHandler.java
@@ -16,6 +16,7 @@ import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
+import org.xml.sax.SAXException;

 import javax.sip.InvalidArgumentException;
 import javax.sip.RequestEvent;
@@ -68,7 +69,7 @@ public class KeepaliveHandler extends ReqAbstractHandler implements Initializing
                responseAck(evt);
            }

-        } catch (ParseException | SipException | InvalidArgumentException | DocumentException e) {
+        } catch (ParseException | SipException | InvalidArgumentException | DocumentException | SAXException e) {
            e.printStackTrace();
        }
    }
--- a/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/message/response/cmdType/CatalogHandler.java
+++ b/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/message/response/cmdType/CatalogHandler.java
@@ -17,6 +17,7 @@ import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import org.springframework.util.ObjectUtils;
+import org.xml.sax.SAXException;

 import javax.sip.InvalidArgumentException;
 import javax.sip.RequestEvent;
@@ -199,7 +200,7 @@ public class CatalogHandler extends ReqAbstractHandler implements InitializingBe
                responseAck(evt);
            }

-        } catch (ParseException | SipException | InvalidArgumentException | DocumentException e) {
+        } catch (ParseException | SipException | InvalidArgumentException | DocumentException | SAXException e) {
            e.printStackTrace();
        }
    }
--- a/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/message/response/cmdType/DeviceInfoHandler.java
+++ b/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/message/response/cmdType/DeviceInfoHandler.java
@@ -13,6 +13,7 @@ import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
+import org.xml.sax.SAXException;

 import javax.sip.InvalidArgumentException;
 import javax.sip.RequestEvent;
@@ -48,7 +49,7 @@ public class DeviceInfoHandler extends ReqAbstractHandler implements Initializin
            // 回复200 OK
            responseAck(evt);

-        } catch (DocumentException | SipException | InvalidArgumentException | ParseException e) {
+        } catch (DocumentException | SipException | InvalidArgumentException | ParseException | SAXException e) {
            e.printStackTrace();
        }
    }
--- a/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/util/XmlUtil.java
+++ b/springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/util/XmlUtil.java
@@ -6,6 +6,7 @@ import org.dom4j.Document;
 import org.dom4j.DocumentException;
 import org.dom4j.Element;
 import org.dom4j.io.SAXReader;
+import org.xml.sax.SAXException;

 import javax.sip.RequestEvent;
 import javax.sip.message.Request;
@@ -19,22 +20,20 @@ public class XmlUtil {
    /**
     * 解析XML为Document对象
     *
-     * @param xml
-     *            被解析的XMl
+     * @param xml 被解析的XMl
     * @return Document
     */
-    public static Element parseXml(String xml)
-    {
+    public static Element parseXml(String xml) {
        Document document = null;
        //
        StringReader sr = new StringReader(xml);
-        SAXReader saxReader = new SAXReader();
-        try
-        {
-            document = saxReader.read(sr);
-        }
-        catch (DocumentException e)
-        {
+        SAXReader reader = new SAXReader();
+        try {
+            reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            document = reader.read(sr);
+        } catch (DocumentException | SAXException e) {
            log.error("解析失败", e);
        }
        return null == document ? null : document.getRootElement();
@@ -43,16 +42,12 @@ public class XmlUtil {
    /**
     * 获取element对象的text的值
     *
-     * @param em
-     *            节点的对象
-     * @param tag
-     *            节点的tag
+     * @param em  节点的对象
+     * @param tag 节点的tag
     * @return 节点
     */
-    public static String getText(Element em, String tag)
-    {
-        if (null == em)
-        {
+    public static String getText(Element em, String tag) {
+        if (null == em) {
            return null;
        }
        Element e = em.element(tag);
@@ -63,16 +58,12 @@ public class XmlUtil {
    /**
     * 递归解析xml节点，适用于 多节点数据
     *
-     * @param node
-     *            node
-     * @param nodeName
-     *            nodeName
-     * @return List<Map<String, Object>>
+     * @param node     node
+     * @param nodeName nodeName
+     * @return List<Map < String, Object>>
     */
-    public static List<Map<String, Object>> listNodes(Element node, String nodeName)
-    {
-        if (null == node)
-        {
+    public static List<Map<String, Object>> listNodes(Element node, String nodeName) {
+        if (null == node) {
            return null;
        }
        // 初始化返回
@@ -82,12 +73,9 @@ public class XmlUtil {

        Map<String, Object> map = null;
        // 遍历属性节点
-        for (Attribute attribute : list)
-        {
-            if (nodeName.equals(node.getName()))
-            {
-                if (null == map)
-                {
+        for (Attribute attribute : list) {
+            if (nodeName.equals(node.getName())) {
+                if (null == map) {
                    map = new HashMap<String, Object>();
                    listMap.add(map);
                }
@@ -99,17 +87,19 @@ public class XmlUtil {
        // 遍历当前节点下的所有节点 ，nodeName 要解析的节点名称
        // 使用递归
        Iterator<Element> iterator = node.elementIterator();
-        while (iterator.hasNext())
-        {
+        while (iterator.hasNext()) {
            Element e = iterator.next();
            listMap.addAll(listNodes(e, nodeName));
        }
        return listMap;
    }

-    public static Element getRootElement(RequestEvent evt) throws DocumentException {
+    public static Element getRootElement(RequestEvent evt) throws DocumentException, SAXException {
        Request request = evt.getRequest();
        SAXReader reader = new SAXReader();
+        reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        reader.setEncoding("gbk");
        Document xml = reader.read(new ByteArrayInputStream(request.getRawContent()));
        return xml.getRootElement();