问题
I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow
...
DocumentBuilderFactory dbf=null;
DocumentBuilder db = null;
try {
dbf=DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
dbf.setExpandEntityReferences(false);
dbf.setXIncludeAware(false);
dbf.setValidating(false);
dbf.newDocumentBuilder();
InputStream stream = new ByteArrayInputStream(datosXml.getBytes());
Document doc = db.parse(stream, "");
...
I've been researching but I haven't found out a reason for this finding or a way of making it disappear. Could you tell me how to do it?
回答1:
Have you seen the OWASP guide about XXE?
You are not disabling the 3 features you should disable. Most importantly the first one:
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
来源:https://stackoverflow.com/questions/30978855/veracode-xml-external-entity-reference-xxe