From e99d8d4f46423e128c95c8cfe4851558334a065a Mon Sep 17 00:00:00 2001 From: Luca Foppiano Date: Sat, 30 Nov 2024 05:24:50 +0000 Subject: [PATCH 1/2] Fix code scanning alert no. 41: Resolving XML external entity in user-controlled data Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .../src/main/java/org/grobid/core/document/OPSService.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/grobid-core/src/main/java/org/grobid/core/document/OPSService.java b/grobid-core/src/main/java/org/grobid/core/document/OPSService.java index 7b2cf22763..f6edf28dfb 100755 --- a/grobid-core/src/main/java/org/grobid/core/document/OPSService.java +++ b/grobid-core/src/main/java/org/grobid/core/document/OPSService.java @@ -118,8 +118,11 @@ public String descriptionRetrieval(String patentNumber) throws IOException, spf.setFeature("http://xml.org/sax/features/validation", false); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //get a new instance of parser XMLReader reader = spf.newSAXParser().getXMLReader(); + reader.setFeature("http://xml.org/sax/features/external-general-entities", false); + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); reader.setEntityResolver(new EntityResolver() { public InputSource resolveEntity(String publicId, String systemId) { return new InputSource( From c3008ec7eed5d335a98ef5812a44d8d193c236ff Mon Sep 17 00:00:00 2001 From: Luca Foppiano Date: Sat, 30 Nov 2024 05:27:09 +0000 Subject: [PATCH 2/2] Fix code scanning alert no. 62: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .../grobid/service/process/GrobidRestProcessTraining.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java b/grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java index 10664d2f09..b425af0c27 100644 --- a/grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java +++ b/grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java @@ -359,6 +359,11 @@ public void run() { public Response resultTraining(String token) { Response response = null; try { + // Validate the token to prevent directory traversal + if (token.contains("..") || token.contains("/") || token.contains("\\")) { + throw new GrobidServiceException("Invalid token", Status.BAD_REQUEST); + } + // access report file under token subdirectory File home = GrobidProperties.getInstance().getGrobidHomePath(); String tokenPath = home.getAbsolutePath() + "/training-history/" + token;