[Security] Disable external entity processing in XML upload to prevent XXE

jinsongzhou · jinsongzhou · commit 2ed10c0e1bc5 · 2026-03-19T10:11:10.000+08:00
When uploading XML configuration files (e.g. core-site.xml, hdfs-site.xml),
the uploaded bytes are parsed by Hadoop's Configuration.addResource().
Although the current classpath includes Woodstox (which does not expand
external entities by default), this implicit protection is fragile and can
silently break if dependencies change.

This patch explicitly disables external entity processing using a
hardened XMLInputFactory before delegating to Hadoop Configuration,
ensuring XXE protection regardless of the underlying XML parser
implementation.

Changes:
- Pre-validate the XML stream with XMLInputFactory configured to:
  - IS_SUPPORTING_EXTERNAL_ENTITIES = false
  - SUPPORT_DTD = false
  - FEATURE_SECURE_PROCESSING = true
- Switch to Configuration(false) to avoid loading default Hadoop configs
diff --git a/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java b/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java
@@ -27,6 +27,9 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 
+import javax.xml.XMLConstants;
+import javax.xml.stream.XMLInputFactory;
+
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -52,7 +55,15 @@ public void uploadFile(Context ctx) throws IOException {
     // validate xml config
     if (name.toLowerCase().endsWith(".xml")) {
       try {
-        Configuration configuration = new Configuration();
+        // Explicitly disable external entity processing to prevent XXE attacks,
+        // regardless of the underlying XML parser implementation on the classpath.
+        XMLInputFactory xif = XMLInputFactory.newInstance();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        xif.setProperty(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        xif.createXMLStreamReader(new ByteArrayInputStream(bytes)).close();
+
+        Configuration configuration = new Configuration(false);
         configuration.addResource(new ByteArrayInputStream(bytes));
         configuration.setDeprecatedProperties();
       } catch (Exception e) {
