强化XML外部实体注入修复

时间:2016-07-07 13:49:50

标签: java fortify xxe

当我使用fortify工具进行扫描时,我在“XML外部实体注入”下遇到了一些问题。

TransformerFactory trfactory = TransformerFactory.newInstance(); 

这是显示错误的地方。我已按照fortify的建议给出了以下修复

trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false); 
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 

但问题仍然没有解决。如何解决这个问题?

5 个答案:

答案 0 :(得分:1)

如果java版本不兼容,有时它将无效。

if (javaVersion > 1.6) {
        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      }
else {
        if (javaVersion > 1.5) {
          dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
          dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
        }
else {
          dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
          dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
        }
 }
  

它对我有用: - )

答案 1 :(得分:1)

TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

这就足够了。

答案 2 :(得分:0)

我试过" Xalan"实现类而不是TransformerFactory.newInstance()。它对我有用,强化问题得到修复

        TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
        Transformer transformer = transformerFactoryImpl.newTransformer();

答案 3 :(得分:0)

您也可以尝试:

    TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
    Transformer transformer = transformerFactoryImpl.newTransformer();
    transformer.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

答案 4 :(得分:0)

添加此行。它为我工作。

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);