如何防止TransformerFactory上的XML外部实体注入

时间:2022-10-10 13:03:22

My problem:

Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack.

Fortify 4.2.1在代码下面标记为易受XML外部实体攻击。

TransformerFactory factory = TransformerFactory.newInstance();
StreamSource xslStream = new StreamSource(inputXSL);
Transformer transformer = factory.newTransformer(xslStream);

Solution I have tried:

解决方案我试过:

  1. Setting TransformerFactory feature for XMLConstants.FEATURE_SECURE_PROCESSING to true.

    将XMLConstants.FEATURE_SECURE_PROCESSING的TransformerFactory功能设置为true。

  2. Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX parsers. e.g. disallowing doctype declaration, etc. But TransformerFactoryImpl doesn't seem to be accepting anything else that XMLConstants.FEATURE_SECURE_PROCESSING. Impl Code

    研究了为TransformerFactory提供更多此类功能的可能性,就像我们为DOM和SAX解析器所做的那样。例如禁止doctype声明等。但TransformerFactoryImpl似乎不接受XMLConstants.FEATURE_SECURE_PROCESSING的任何其他内容。 Impl Code

Please point me to any resource that you think I might have not gone through or a possible solution to this issue.

请指出您认为我可能没有经历的任何资源或此问题的可能解决方案。

2 个解决方案

#1


2  

TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

I think this would be sufficient.

我认为这就足够了。

Fortify would suggest below features but those doesn't work for TransformerFactory

Fortify会建议以下功能,但这些功能不适用于TransformerFactory

actory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

We might need to change to a different parser to make use of them.

我们可能需要更改为不同的解析器才能使用它们。

#2


0  

Because of lot of xml parsing engines in the market, each of it has its own mechanism to disable External entity injection. Please refer to the documentation of your engine. Below is an example to prevent it when using a SAX parser.

由于市场上有很多xml解析引擎,每个引擎都有自己的机制来禁用外部实体注入。请参阅引擎文档。下面是使用SAX解析器时阻止它的示例。

The funda is to disallow DOCTYPE declaration. However if it is required disabling external general entities and external parameter entities will not trick the underlying SAX parser to XXE injection.

根本是禁止DOCTYPE声明。但是,如果需要禁用外部通用实体和外部参数实体,则不会欺骗底层SAX解析器进行XXE注入。

public class MyDocumentBuilderFactory{

    public static DocumentBuilderFactory newDocumentBuilderFactory(){

        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();

        try{

            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities",false);
            documentBuilderFactory.setfeature("http://xml.org/sax/features/external-parameter-entities",false);

        }catch(ParserConfigurationException exp){
            exp.printStackTrace();
        }

        return documentBuilderFactory;
    }
}

#1


2  

TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

I think this would be sufficient.

我认为这就足够了。

Fortify would suggest below features but those doesn't work for TransformerFactory

Fortify会建议以下功能,但这些功能不适用于TransformerFactory

actory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

We might need to change to a different parser to make use of them.

我们可能需要更改为不同的解析器才能使用它们。

#2


0  

Because of lot of xml parsing engines in the market, each of it has its own mechanism to disable External entity injection. Please refer to the documentation of your engine. Below is an example to prevent it when using a SAX parser.

由于市场上有很多xml解析引擎,每个引擎都有自己的机制来禁用外部实体注入。请参阅引擎文档。下面是使用SAX解析器时阻止它的示例。

The funda is to disallow DOCTYPE declaration. However if it is required disabling external general entities and external parameter entities will not trick the underlying SAX parser to XXE injection.

根本是禁止DOCTYPE声明。但是,如果需要禁用外部通用实体和外部参数实体,则不会欺骗底层SAX解析器进行XXE注入。

public class MyDocumentBuilderFactory{

    public static DocumentBuilderFactory newDocumentBuilderFactory(){

        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();

        try{

            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities",false);
            documentBuilderFactory.setfeature("http://xml.org/sax/features/external-parameter-entities",false);

        }catch(ParserConfigurationException exp){
            exp.printStackTrace();
        }

        return documentBuilderFactory;
    }
}