-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xxe #20
Comments
Internal ticket reference: CSAFE-54086 |
@360CodeSafe how are you analysing the code? I see an issue within XmlUtils.java which needs patched and the related classes which use it. However parseRegionMetadata & parseXmlInputStream are more difficult to determine |
@QiAnXinCodeSafe this issue has been resolved in the latest release of the SDK, version 2.5.0. Please review and let us know if this issue can be closed. |
HI!
I found that there are many places in ibm-cos-sdk-java that handle xml without disabling xml external entities, which may lead to xml external entity injection vulnerability.Take XmlUtil.java as an example:
The same problem still exists elsewhere:
parseRegionMetadata.java lline 118 ;
XpathUtils.java line 116;
parseXmlInputStream.java line 142;
The text was updated successfully, but these errors were encountered: