Info Call to XML parsing API

Description

Improper XML parsing could lead to several vulnerabilities which could to arbitrary file access (External XML Entities injection, XML injection) or denial of service (Billion laughs, quadratic blowup).

Recommendation

This entry is informative, no recommendations applicable.

Technical details

Method android.support.v7.widget.ActivityChooserModel$PersistHistoryAsyncTask.doInBackground() calling method android.util.Xml.newSerializer()


    public varargs Void doInBackground(Object[] p19)
    {
        java.util.List v4_1 = ((java.util.List) p19[0]);
        String v5_1 = ((String) p19[1]);
        try {
            java.io.FileOutputStream v3 = this.this$0.mContext.openFileOutput(v5_1, 0);
            org.xmlpull.v1.XmlSerializer v12 = android.util.Xml.newSerializer();
            try {
                v12.setOutput(v3, 0);
                v12.startDocument("UTF-8", Boolean.valueOf(1));
                v12.startTag(0, "historical-records");
                int v11 = v4_1.size();
                int v6 = 0;
            } catch (IllegalArgumentException v7) {
                android.util.Log.e(android.support.v7.widget.ActivityChooserModel.LOG_TAG, new StringBuilder().append("Error writing historical record file: ").append(this.this$0.mHistoryFileName).toString(), v7);
                this.this$0.mCanReadHistoricalData = 1;
                if (v3 == null) {
                    java.io.IOException v13_3 = 0;
                    return v13_3;
                } else {
                    try {
                        v3.close();
                    } catch (java.io.IOException v13) {
                    }
                }
            } catch (IllegalStateException v9) {
                android.util.Log.e(android.support.v7.widget.ActivityChooserModel.LOG_TAG, new StringBuilder().append("Error writing historical record file: ").append(this.this$0.mHistoryFileName).toString(), v9);
                this.this$0.mCanReadHistoricalData = 1;
                if (v3 == null) {
                } else {
                    try {
                        v3.close();
                    } catch (java.io.IOException v13) {
                    }
                }
            } catch (java.io.IOException v8) {
                android.util.Log.e(android.support.v7.widget.ActivityChooserModel.LOG_TAG, new StringBuilder().append("Error writing historical record file: ").append(this.this$0.mHistoryFileName).toString(), v8);
                this.this$0.mCanReadHistoricalData = 1;
                if (v3 == null) {
                } else {
                    try {
                        v3.close();
                    } catch (java.io.IOException v13) {
                    }
                }
            } catch (java.io.IOException v13_2) {
                this.this$0.mCanReadHistoricalData = 1;
                if (v3 != null) {
                    try {
                        v3.close();
                    } catch (int v14) {
                    }
                }
                throw v13_2;
            }
            while (v6 < v11) {
                android.support.v7.widget.ActivityChooserModel$HistoricalRecord v10_1 = ((android.support.v7.widget.ActivityChooserModel$HistoricalRecord) v4_1.remove(0));
                v12.startTag(0, "historical-record");
                v12.attribute(0, "activity", v10_1.activity.flattenToString());
                v12.attribute(0, "time", String.valueOf(v10_1.time));
                v12.attribute(0, "weight", String.valueOf(v10_1.weight));
                v12.endTag(0, "historical-record");
                v6++;
            }
            v12.endTag(0, "historical-records");
            v12.endDocument();
            this.this$0.mCanReadHistoricalData = 1;
            if (v3 == null) {
            } else {
                try {
                    v3.close();
                } catch (java.io.IOException v13) {
                }
            }
        } catch (java.io.FileNotFoundException v2) {
            android.util.Log.e(android.support.v7.widget.ActivityChooserModel.LOG_TAG, new StringBuilder().append("Error writing historical record file: ").append(v5_1).toString(), v2);
            v13_3 = 0;
            return v13_3;
        }
    }

Method org.xmlpull.v1.XmlPullParserFactory.<clinit>() calling method org.xmlpull.v1.XmlPullParserFactory.<init>()


    static XmlPullParserFactory()
    {
        org.xmlpull.v1.XmlPullParserFactory.referenceContextClass = new org.xmlpull.v1.XmlPullParserFactory().getClass();
        return;
    }

Method org.xmlpull.v1.XmlPullParserFactory.newInstance() calling method org.xmlpull.v1.XmlPullParserFactory.<init>()


    public static org.xmlpull.v1.XmlPullParserFactory newInstance(String p20, Class p21)
    {
        if (p21 == null) {
            p21 = org.xmlpull.v1.XmlPullParserFactory.referenceContextClass;
        }
        if ((p20 != null) && ((p20.length() != 0) && (!"DEFAULT".equals(p20)))) {
            String v5 = new StringBuilder().append("parameter classNames to newInstance() that contained \'").append(p20).append("\'").toString();
        } else {
            try {
                java.io.InputStream v10 = p21.getResourceAsStream("/META-INF/services/org.xmlpull.v1.XmlPullParserFactory");
            } catch (Exception v7) {
                org.xmlpull.v1.XmlPullParserException v17_10 = new org.xmlpull.v1.XmlPullParserException;
                v17_10(0, 0, v7);
                throw v17_10;
            }
            if (v10 != null) {
                StringBuffer v15_1 = new StringBuffer();
                while(true) {
                    int v4 = v10.read();
                    if (v4 < 0) {
                        break;
                    }
                    if (v4 > 32) {
                        v15_1.append(((char) v4));
                    }
                }
                v10.close();
                p20 = v15_1.toString();
                v5 = new StringBuilder().append("resource /META-INF/services/org.xmlpull.v1.XmlPullParserFactory that contained \'").append(p20).append("\'").toString();
            } else {
                throw new org.xmlpull.v1.XmlPullParserException("resource not found: /META-INF/services/org.xmlpull.v1.XmlPullParserFactory make sure that parser implementing XmlPull API is available");
            }
        }
        org.xmlpull.v1.XmlPullParserFactory v8_1 = 0;
        java.util.Vector v12_1 = new java.util.Vector();
        java.util.Vector v16_1 = new java.util.Vector();
        int v13 = 0;
        while (v13 < p20.length()) {
            int v6 = p20.indexOf(44, v13);
            if (v6 == -1) {
                v6 = p20.length();
            }
            String v11 = p20.substring(v13, v6);
            Object v9 = 0;
            try {
                Class v3 = Class.forName(v11);
                v9 = v3.newInstance();
            } catch (org.xmlpull.v1.XmlPullParserException v17) {
            }
            if (v3 != null) {
                int v14 = 0;
                if ((v9 instanceof org.xmlpull.v1.XmlPullParser)) {
                    v12_1.addElement(v3);
                    v14 = 1;
                }
                if ((v9 instanceof org.xmlpull.v1.XmlSerializer)) {
                    v16_1.addElement(v3);
                    v14 = 1;
                }
                if ((v9 instanceof org.xmlpull.v1.XmlPullParserFactory)) {
                    if (v8_1 == null) {
                        v8_1 = ((org.xmlpull.v1.XmlPullParserFactory) v9);
                    }
                    v14 = 1;
                }
                if (v14 == 0) {
                    throw new org.xmlpull.v1.XmlPullParserException(new StringBuilder().append("incompatible class: ").append(v11).toString());
                }
            }
            v13 = (v6 + 1);
        }
        if (v8_1 == null) {
            v8_1 = new org.xmlpull.v1.XmlPullParserFactory();
        }
        v8_1.parserClasses = v12_1;
        v8_1.serializerClasses = v16_1;
        v8_1.classNamesLocation = v5;
        return v8_1;
    }