Merge pull request quartz-scheduler#6 from jgallimore/issue-467-xxe-2…

….2.x

Issue quartz-scheduler#467 provide XML parser with a strong configuration to prevent …

quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java

@@ -173,7 +173,14 @@ protected void initDocumentParser() throws ParserConfigurationException  {
         docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", "http://www.w3.org/2001/XMLSchema");
 
         docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaSource());
-
+
+        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        docBuilderFactory.setXIncludeAware(false);
+        docBuilderFactory.setExpandEntityReferences(false);
+
         docBuilder = docBuilderFactory.newDocumentBuilder();
 
         docBuilder.setErrorHandler(this);

quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java

@@ -30,6 +30,7 @@
 import org.quartz.simpl.SimpleThreadPool;
 import org.quartz.spi.ClassLoadHelper;
 import org.quartz.utils.DBConnectionManager;
+import org.xml.sax.SAXParseException;
 
 /**
  * Unit test for XMLSchedulingDataProcessor.
@@ -204,6 +205,31 @@ public void testQTZ327SimpleTriggerNoRepeat() throws Exception {
    		}
    	}
 
+    public void testXmlParserConfiguration() throws Exception {
+		Scheduler scheduler = null;
+		try {
+			StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties");
+			scheduler = factory.getScheduler();
+			ClassLoadHelper clhelper = new CascadingClassLoadHelper();
+			clhelper.initialize();
+			XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper);
+			processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler);
+
+
+			final JobKey jobKey = scheduler.getJobKeys(GroupMatcher.jobGroupEquals("native")).iterator().next();
+			final JobDetail jobDetail = scheduler.getJobDetail(jobKey);
+			final String description = jobDetail.getDescription();
+
+
+			fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description);
+		} catch (SAXParseException e) {
+			assertTrue(e.getMessage().contains("DOCTYPE is disallowed"));
+		} finally {
+			if (scheduler != null)
+				scheduler.shutdown();
+		}
+	}
+
 	private Date dateOfGMT_UTC(int hour, int minute, int second, int dayOfMonth, int month, int year) {
 		final GregorianCalendar calendar = new GregorianCalendar(TimeZone.getTimeZone("GMT"));
 		calendar.set(year, month, dayOfMonth, hour, minute, second);

quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [<!ELEMENT foo ANY >
+		<!ENTITY xxe SYSTEM "/" >]>
+<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd" version="2.0">
+	<schedule>
+		<job>
+			<name>xxe</name>
+			<group>native</group>
+			<description>&xxe;</description>
+			<job-class>org.quartz.xml.XMLSchedulingDataProcessorTest$MyJob</job-class>
+			<durability>true</durability>
+			<recover>false</recover>
+		</job>
+	</schedule>
+</job-scheduling-data>