How to Prevent XML External Entity Injection on TransformerFactory

后端 未结 2 999
醉梦人生
醉梦人生 2021-02-04 17:40

My problem:

Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack.

TransformerFactory factory = Transform         


        
相关标签:
2条回答
  • 2021-02-04 17:53

    Because of lot of xml parsing engines in the market, each of it has its own mechanism to disable External entity injection. Please refer to the documentation of your engine. Below is an example to prevent it when using a SAX parser.

    The funda is to disallow DOCTYPE declaration. However if it is required disabling external general entities and external parameter entities will not trick the underlying SAX parser to XXE injection.

    public class MyDocumentBuilderFactory{
    
        public static DocumentBuilderFactory newDocumentBuilderFactory(){
    
            DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    
            try{
    
                documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
                documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities",false);
                documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities",false);
    
            }catch(ParserConfigurationException exp){
                exp.printStackTrace();
            }
    
            return documentBuilderFactory;
        }
    }
    
    0 讨论(0)
  • 2021-02-04 18:07
    TransformerFactory trfactory = TransformerFactory.newInstance();
    trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
    

    I think this would be sufficient.

    Fortify would suggest below features but those doesn't work for TransformerFactory

    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    

    We might need to change to a different parser to make use of them.

    0 讨论(0)
提交回复
热议问题