Veracode CWE ID 611

时间:2019-03-06 08:18:18

标签: veracode

我有一段代码可以找到Veracode,以发现对XML外部实体引用('XXE')攻击的不当限制。

代码:

Transformer transformer = TransformerFactory.newInstance().newTransformer();
        StreamResult result = new StreamResult(new StringWriter());
        DOMSource source = new DOMSource(node);
        transformer.transform(source, result); //CWE ID 611, impacted line.

我用过

transformer.setOutputProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformer.setOutputProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

但没有运气。

3 个答案:

答案 0 :(得分:0)

问题已通过以下代码解决:

        TransformerFactory transformer = TransformerFactory.newInstance();//.newTransformer();
        transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
        StreamResult result = new StreamResult(new StringWriter());
        DOMSource source = new DOMSource(node);
        transformer.newTransformer().transform(source, result);

答案 1 :(得分:0)

建议放置try-catch块。

try{
            transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
            transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

        } catch (IllegalArgumentException e) {
            //jaxp 1.5 feature not supported
        }

答案 2 :(得分:0)

对于在JDK5或更早版本上运行该应用程序的任何人,请注意,您将没有以下XML常量可用:

transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

相反,您将不得不使用安全文档构建器来解析为文档,然后在转换器中使用DOM源。

private static void example(String xmlDocument, Result result) throws ParserConfigurationException, IOException, SAXException, TransformerException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = dbf.newDocumentBuilder();
    db.setEntityResolver(new EntityResolver() {
        public InputSource resolveEntity(String s, String s1) throws SAXException, IOException {
            return new InputSource(new StringReader(""));
        }
    });
    Document doc = db.parse(new InputSource(new StringReader(xmlDocument)));

    DOMSource domSource = new DOMSource(doc);
    Transformer transformer = TransformerFactory.newInstance().newTransformer();
    transformer.transform(domSource, result);
}