Java and Eclipse Plugin Development: xml external injection

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
http://www.gonandy.com/2016/12/xxe-injection/

DocumentBuilderFactory

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

   DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

    String FEATURE = null;

      // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented

      // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl

      FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";

      dbf.setFeature(FEATURE, true);

      // If you can't completely disable DTDs, then at least do the following:

      // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities

      // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities

      // JDK7+ - http://xml.org/sax/features/external-general-entities    

      FEATURE = "http://xml.org/sax/features/external-general-entities";

      dbf.setFeature(FEATURE, false);

      // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities

      // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities

      // JDK7+ - http://xml.org/sax/features/external-parameter-entities    

      FEATURE = "http://xml.org/sax/features/external-parameter-entities";

      dbf.setFeature(FEATURE, false);

      // Disable external DTDs as well

      FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";

      dbf.setFeature(FEATURE, false);

      // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" (see reference below)

      dbf.setXIncludeAware(false);

      dbf.setExpandEntityReferences(false);

StAX and XMLInputFactory

StAX parsers such as XMLInputFactory allow various properties and features to be set.

To protect a Java XMLInputFactory from XXE, do this:

xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // This disables DTDs entirely for that factory
xmlInputFactory.setProperty(“javax.xml.stream.isSupportingExternalEntities”, false); // disable external entities

TransformerFactory(JDK7)

To protect a Java TransformerFactory from XXE, do this:

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,true);

Validator

To protect a Java Validator from XXE, do this:

SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
Schema schema = factory.newSchema();
Validator validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);

SchemaFactory

To protect a SchemaFactory from XXE, do this:

SchemaFactory factory = SchemaFactory.newInstance(“http://www.w3.org/2001/XMLSchema“);
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
Schema schema = factory.newSchema(Source);

SAXTransformerFactory

To protect a Java SAXTransformerFactory from XXE, do this:

SAXTransformerFactory sf = SAXTransformerFactory.newInstance();
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, “”);
sf.newXMLFilter(Source);

XMLReader

To protect a Java XMLReader from XXE, do this:

XMLReader spf = XMLReaderFactory.createXMLReader();
spf.setFeature(“http://xml.org/sax/features/external-general-entities”, false);
spf.setFeature(“http://xml.org/sax/features/external-parameter-entities“, false);
spf.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd”,false);

Unmarshaller

Since an Unmarshaller parses XML and does not support any flags for disabling XXE, it’s imperative to parse the untrusted XML through a configurable secure parser first, generate a Source object as a result, and pass the source object to the Unmarshaller. For example:

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(“http://xml.org/sax/features/external-general-entities”, false);
spf.setFeature(“http://xml.org/sax/features/external-parameter-entities“, false);
spf.setFeature(“http://apache.org/xml/features/nonvalidating/load-external-dtd“, false);

Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));
JAXBContext jc = JAXBContext.newInstance(Object.class);
Unmarshaller um = jc.createUnmarshaller();
um.unmarshal(xmlSource);

XPathExpression

An XPathExpression is similar to an Unmarshaller where it can’t be configured securely by itself, so the untrusted data must be parsed through another securable XML parser first. For example:

DocumentBuilderFactory df =DocumentBuilderFactory.newInstance();
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, “”);
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, “”);
builder = df.newDocumentBuilder();
xPathExpression.evaluate( builder.parse(new ByteArrayInputStream(xml.getBytes())) );

Java and Eclipse Plugin Development

Sunday, August 6, 2017

XML external injection resolutions