Veracode XML External Entity Reference (XXE)

天大地大妈咪最大 提交于 2020-05-08 03:52:11

问题


I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow

...

  DocumentBuilderFactory dbf=null;      
  DocumentBuilder db = null;    
  try {         
        dbf=DocumentBuilderFactory.newInstance();  
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 
        dbf.setExpandEntityReferences(false); 
        dbf.setXIncludeAware(false);        
        dbf.setValidating(false); 
        dbf.newDocumentBuilder();   
        InputStream stream = new ByteArrayInputStream(datosXml.getBytes());
        Document doc = db.parse(stream, "");            

...

I've been researching but I haven't found out a reason for this finding or a way of making it disappear. Could you tell me how to do it?


回答1:


Have you seen the OWASP guide about XXE?

You are not disabling the 3 features you should disable. Most importantly the first one:

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);


来源:https://stackoverflow.com/questions/30978855/veracode-xml-external-entity-reference-xxe

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!