我一直在尝试解决Veracode“XML外部实体参考的不当限制”缺陷。我在线查看了这个问题,并找到了一些如何解决它的建议,即:
令我沮丧的是,Veracode仍然报告了这个漏洞,而且我坦率地失去了如何继续。我安装了Java 8并使用JRE 1.8。
以下是我的代码片段(按照VGR的建议编辑):
InputSource inputSource = new InputSource(reader);
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
dbFactory.setAttribute(XMLInputFactory.SUPPORT_DTD, false);
dbFactory.setAttribute(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
dbFactory.setXIncludeAware(false);
dbFactory.setExpandEntityReferences(false);
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
org.w3c.dom.Document doc = dBuilder.parse(inputSource);
doc.getDocumentElement().normalize();
catch (IOException e) {
e.printStackTrace();
} catch (ParserConfigurationException e) {
e.printStackTrace();
} catch (SAXException e) {
e.printStackTrace();
}
如何解决这个问题?