Question

我已就该主题进行了研究，但未找到任何相关信息

我们是否需要采取任何安全措施来保护javax.xml.transform.Transformer免受XML外部实体攻击？

我做了以下操作，似乎扩展了dtd。

String fileData = "<!DOCTYPE acunetix [  <!ENTITY sampleVal SYSTEM \"file:///media/sample\">]><username>&sampleVal;</username>";
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = transformerFactory.newTransformer();
StringWriter buff = new StringWriter();
transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
transformer.transform(new StreamSource(new StringReader(fileData)), new StreamResult(buff));
System.out.println(buff.toString());

输出包含文件中的值

<username>test</username>

Answer 1

您的代码似乎正确无误。当我运行这个稍微修改过的JUnit测试用例时：

@Test
public void test() throws TransformerException, URISyntaxException {
  File testFile = new File(getClass().getResource("test.txt").toURI());
  assertTrue(testFile.exists());
  String fileData = "<!DOCTYPE acunetix [  <!ENTITY foo SYSTEM \"file://" + 
                    testFile.toString() +
                    "\">]><xxe>&foo;</xxe>";
  TransformerFactory transformerFactory = TransformerFactory.newInstance();
  System.out.println(transformerFactory.getClass().getName());
  transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
  Transformer transformer = transformerFactory.newTransformer();
  StringWriter buff = new StringWriter();
  transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
  transformer.transform(new StreamSource(new StringReader(fileData)), new StreamResult(buff));
  assertEquals("<xxe>&foo;</xxe>", buff.toString());
}

我得到以下输出：

com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
[Fatal Error] :1:182: External Entity: Failed to read external document 'test.txt', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.
ERROR:  'External Entity: Failed to read external document 'test.txt', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.'

来自setFeature JavaDocs：

所有实现都需要支持XMLConstants.FEATURE_SECURE_PROCESSING功能。当功能是：


true：实现将限制XML处理以符合实现限制，并以实现定义的安全方式运行。示例包括解析用户定义的样式表和函数。如果出于安全原因限制XML处理，则会通过调用已注册的ErrorListener.fatalError（TransformerException异常）来报告。请参见setErrorListener（ErrorListener侦听器）。

如果我注释掉transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);，那么该错误就会消失，然后由于实体已经解析而导致测试失败。

尝试向TransformerFactory和Transformer添加ErrorListener：

transformerFactory.setErrorListener(new ErrorListener() {

  @Override
  public void warning(TransformerException exception) throws TransformerException {
    System.out.println("In Warning: " + exception.toString());
  }

  @Override
  public void error(TransformerException exception) throws TransformerException {
    System.out.println("In Error: " + exception.toString());
  }

  @Override
  public void fatalError(TransformerException exception) throws TransformerException {
    System.out.println("In Fatal: " + exception.toString());
  }
});

Transformer transformer = transformerFactory.newTransformer();
transformer.setErrorListener(transformerFactory.getErrorListener());

我现在看到以下新的控制台输出：

In Error: javax.xml.transform.TransformerException: External Entity: Failed to read external document 'test.txt', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.

也许您的实施将其视为警告？否则，也许它是你正在使用的实现？看起来JavaDoc规范并不精确，因此一个实现可能会做一些与另一个不同的实现。我有兴趣知道错误的实施！

如何从XML外部攻击中保护javax.xml.transform.TransformerFactory

1 个答案: