Update SVGParser.java

[Anon-Artist]

📊 Metadata *

VectAlign (a.k.a. VectorDrawableAlign) is a developer's tool which automagically aligns two VectorDrawable "pathData" strings (or SVG images) in order to allow morphing animations between them using an AnimatedVectorDrawable.

Bounty URL: https://www.huntr.dev/bounties/1-other-vectalign

⚙️ Description *

VectAlign (a.k.a. VectorDrawableAlign) is vulnerable to (XXE) Vulnerability.

💻 Technical Description *

OWASP recommends ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET but it's mainly centered for the TransformerFactory Parser. As it's implemented in DocumentBuilderFactory and has been used in other functions as well, I wrote a fix for it rather than switching to any other parsers.

🐛 Proof of Concept (PoC) *

1. download and run https://bintray.com/artifact/download/bonnyfone/maven/vectalign-0.2-jar-with-dependencies.jar
2. create a payload svg or use : (this is a example of External XML Inclusion)
   *https://drive.google.com/drive/folders/1CLc0cYmz6Q-CGnMpDnupx7YTjNzo8Eir?usp=sharing
   POC IMAGE
   *https://drive.google.com/file/d/1VqfAgldmtY-qrgHRfizVvAH2oIFZVT-q/view

🔥 Proof of Fix (PoF) *

XXE is Fixed

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

🔗 Relates to...

https://www.huntr.dev/bounties/1-other-vectalign

[huntr-helper]

👋 Hello, @bonnyfone - @Anon-Artist has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@bonnyfone & @Anon-Artist - thank you for your efforts in securing the world’s open source code! 🎉