我有一段代码可以找到Veracode,以发现对XML外部实体引用('XXE')攻击的不当限制。
代码:
Transformer transformer = TransformerFactory.newInstance().newTransformer();
StreamResult result = new StreamResult(new StringWriter());
DOMSource source = new DOMSource(node);
transformer.transform(source, result); //CWE ID 611, impacted line.
我用过
transformer.setOutputProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformer.setOutputProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
但没有运气。
答案 0 :(得分:0)
问题已通过以下代码解决:
TransformerFactory transformer = TransformerFactory.newInstance();//.newTransformer();
transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
StreamResult result = new StreamResult(new StringWriter());
DOMSource source = new DOMSource(node);
transformer.newTransformer().transform(source, result);
答案 1 :(得分:0)
建议放置try-catch块。
try{
transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
} catch (IllegalArgumentException e) {
//jaxp 1.5 feature not supported
}
答案 2 :(得分:0)
对于在JDK5或更早版本上运行该应用程序的任何人,请注意,您将没有以下XML常量可用:
transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
相反,您将不得不使用安全文档构建器来解析为文档,然后在转换器中使用DOM源。
private static void example(String xmlDocument, Result result) throws ParserConfigurationException, IOException, SAXException, TransformerException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
db.setEntityResolver(new EntityResolver() {
public InputSource resolveEntity(String s, String s1) throws SAXException, IOException {
return new InputSource(new StringReader(""));
}
});
Document doc = db.parse(new InputSource(new StringReader(xmlDocument)));
DOMSource domSource = new DOMSource(doc);
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.transform(domSource, result);
}