java 如何在 TransformerFactory 上防止 XML 外部实体注入
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/32178558/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to Prevent XML External Entity Injection on TransformerFactory
提问by Ravi Ranjan
My problem:
我的问题:
Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack.
Fortify 4.2.1 将以下代码标记为易受 XML 外部实体攻击。
TransformerFactory factory = TransformerFactory.newInstance();
StreamSource xslStream = new StreamSource(inputXSL);
Transformer transformer = factory.newTransformer(xslStream);
Solution I have tried:
我试过的解决方案:
Setting TransformerFactory feature for
XMLConstants.FEATURE_SECURE_PROCESSINGto true.Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX parsers. e.g. disallowing doctype declaration, etc. But TransformerFactoryImpl doesn't seem to be accepting anything else that
XMLConstants.FEATURE_SECURE_PROCESSING. Impl Code
将 TransformerFactory 功能设置为
XMLConstants.FEATURE_SECURE_PROCESSINGtrue。研究为 TransformerFactory 提供更多此类功能的可能性,就像我们为 DOM 和 SAX 解析器所做的那样。例如,不允许 doctype 声明等。但 TransformerFactoryImpl 似乎不接受其他任何东西
XMLConstants.FEATURE_SECURE_PROCESSING。实施代码
Please point me to any resource that you think I might have not gone through or a possible solution to this issue.
请向我指出您认为我可能没有经历过的任何资源或此问题的可能解决方案。
回答by Kondal Kolipaka
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
I think this would be sufficient.
我认为这就足够了。
Fortify would suggest below features but those doesn't work for TransformerFactory
Fortify 会建议以下功能,但这些功能不适用于 TransformerFactory
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
We might need to change to a different parser to make use of them.
我们可能需要更改为不同的解析器才能使用它们。
回答by Keerthikanth Chowdary
Because of lot of xml parsing engines in the market, each of it has its own mechanism to disable External entity injection. Please refer to the documentation of your engine. Below is an example to prevent it when using a SAX parser.
由于市场上有很多 xml 解析引擎,每个引擎都有自己的机制来禁用外部实体注入。请参阅您的引擎的文档。下面是一个在使用 SAX 解析器时防止它的示例。
The funda is to disallow DOCTYPE declaration. However if it is required disabling external general entities and external parameter entities will not trick the underlying SAX parser to XXE injection.
根本是禁止DOCTYPE声明。但是,如果需要禁用外部通用实体和外部参数实体,则不会欺骗底层 SAX 解析器进行 XXE 注入。
public class MyDocumentBuilderFactory{
public static DocumentBuilderFactory newDocumentBuilderFactory(){
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
try{
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities",false);
documentBuilderFactory.setfeature("http://xml.org/sax/features/external-parameter-entities",false);
}catch(ParserConfigurationException exp){
exp.printStackTrace();
}
return documentBuilderFactory;
}
}
