XML外部实体引用的不正确限制 - 使用DocumentBuilderFactory

时间:2017-06-09 19:37:30

标签: java xml external veracode xxe

我一直在尝试解决Veracode“XML外部实体参考的不当限制”缺陷。我在线查看了这个问题,并找到了一些如何解决它的建议,即:

令我沮丧的是,Veracode仍然报告了这个漏洞,而且我坦率地失去了如何继续。我安装了Java 8并使用JRE 1.8。

以下是我的代码片段(按照VGR的建议编辑):

InputSource inputSource = new InputSource(reader);
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();

dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

dbFactory.setAttribute(XMLInputFactory.SUPPORT_DTD, false);  
dbFactory.setAttribute(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);

dbFactory.setXIncludeAware(false);
dbFactory.setExpandEntityReferences(false);

DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
org.w3c.dom.Document doc = dBuilder.parse(inputSource);
doc.getDocumentElement().normalize();

catch (IOException e) {
    e.printStackTrace();
} catch (ParserConfigurationException e) {
    e.printStackTrace();
} catch (SAXException e) {
    e.printStackTrace();
}

如何解决这个问题?

0 个答案:

没有答案