https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
http://www.gonandy.com/2016/12/xxe-injection/
DocumentBuilderFactory
http://www.gonandy.com/2016/12/xxe-injection/
DocumentBuilderFactory
StAX and XMLInputFactory
StAX parsers such as XMLInputFactory allow various properties and features to be set.
To protect a Java XMLInputFactory from XXE, do this:
- xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // This disables DTDs entirely for that factory
- xmlInputFactory.setProperty(“javax.xml.stream.isSupportingExternalEntities”, false); // disable external entities
TransformerFactory(JDK7)
To protect a Java TransformerFactory from XXE, do this:
- TransformerFactory tf = TransformerFactory.newInstance();
- tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
- tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
- tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,true);
Validator
To protect a Java Validator from XXE, do this:
- SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
- Schema schema = factory.newSchema();
- Validator validator = schema.newValidator();
- validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
- validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
SchemaFactory
To protect a SchemaFactory from XXE, do this:
- SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
- factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
- factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
- Schema schema = factory.newSchema(Source);
SAXTransformerFactory
To protect a Java SAXTransformerFactory from XXE, do this:
- SAXTransformerFactory sf = SAXTransformerFactory.newInstance();
- sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
- sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
- sf.newXMLFilter(Source);
XMLReader
To protect a Java XMLReader from XXE, do this:
- XMLReader spf = XMLReaderFactory.createXMLReader();
- spf.setFeature(“http://xml.org/sax/features/external-general-entities”, false);
- spf.setFeature(“http://xml.org/sax/features/external-parameter-entities“, false);
- spf.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd”,false);
Unmarshaller
Since an Unmarshaller parses XML and does not support any flags for disabling XXE, it’s imperative to parse the untrusted XML through a configurable secure parser first, generate a Source object as a result, and pass the source object to the Unmarshaller. For example:
- SAXParserFactory spf = SAXParserFactory.newInstance();
- spf.setFeature(“http://xml.org/sax/features/external-general-entities”, false);
- spf.setFeature(“http://xml.org/sax/features/external-parameter-entities“, false);
- spf.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd“, false);
- Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));
- JAXBContext jc = JAXBContext.newInstance(Object.class);
- Unmarshaller um = jc.createUnmarshaller();
- um.unmarshal(xmlSource);
XPathExpression
An XPathExpression is similar to an Unmarshaller where it can’t be configured securely by itself, so the untrusted data must be parsed through another securable XML parser first. For example:
- DocumentBuilderFactory df =DocumentBuilderFactory.newInstance();
- df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
- df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
- builder = df.newDocumentBuilder();
- xPathExpression.evaluate( builder.parse(new ByteArrayInputStream(xml.getBytes())) );
No comments:
Post a Comment