JoeKung/print-calculator
1
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(back-end): fix security issue
All checks were successful
Build and Deploy / test-backend (push) Successful in 26s
Details
PR Checks / prettier-autofix (pull_request) Successful in 9s
Details
PR Checks / security-sast (pull_request) Successful in 32s
Details
Build and Deploy / test-frontend (push) Successful in 1m3s
Details
PR Checks / test-backend (pull_request) Successful in 26s
Details
Build and Deploy / build-and-push (push) Successful in 37s
Details
PR Checks / test-frontend (pull_request) Successful in 1m6s
Details
Build and Deploy / deploy (push) Successful in 13s
Details

Browse Source
This commit is contained in:
Joe Küng
2026-03-03 18:26:03 +01:00
parent f5cdaf51cb
commit e23bca0734
1 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
backend/src/main/java/com/printcalculator/service/SlicerService.java
View File

@@ -639,9 +639,17 @@ public class SlicerService {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true); dbf.setNamespaceAware(true);
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
setFeatureIfSupported(dbf, "http://apache.org/xml/features/disallow-doctype-decl", true); dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
setFeatureIfSupported(dbf, "http://xml.org/sax/features/external-general-entities", false); try {
setFeatureIfSupported(dbf, "http://xml.org/sax/features/external-parameter-entities", false); dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
} catch (Exception ignored) {
// Best-effort hardening.
}
try {
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
} catch (Exception ignored) {
// Best-effort hardening.
}
dbf.setXIncludeAware(false); dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false); dbf.setExpandEntityReferences(false);
@@ -650,14 +658,6 @@ public class SlicerService {
} }
} }
private void setFeatureIfSupported(DocumentBuilderFactory dbf, String feature, boolean enabled) {
try {
dbf.setFeature(feature, enabled);
} catch (Exception ignored) {
// Best-effort hardening.
}
}
private String normalizeZipPath(String rawPath) throws IOException { private String normalizeZipPath(String rawPath) throws IOException {
if (rawPath == null || rawPath.isBlank()) { if (rawPath == null || rawPath.isBlank()) {
throw new IOException("Invalid empty 3MF model path"); throw new IOException("Invalid empty 3MF model path");