XXE不同的庫修復代碼,略有差別,但都是通過:
1、禁止加載外部實體;
2、不允許XML中含有任何自己聲明的DTD。可以解決
例1: //DOM Read XML
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
/*以下爲修復代碼*/
//https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
//禁用DTDs (doctypes),幾乎可以防禦所有xml實體攻擊
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //首選
//如果不能禁用DTDs,可以使用下兩項,必須兩項同時存在
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); //防止外部實體POC
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //防止參數實體POC
/*以上爲修復代碼*/
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(request.getInputStream());
例2: //DOM4J Read XML
SAXReader saxReader = new SAXReader();
/*以下爲修復代碼*/
//https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
//禁用DTDs (doctypes),幾乎可以防禦所有xml實體攻擊
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //首選
//如果不能禁用DTDs,可以使用下兩項,必須兩項同時存在
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false); //防止外部實體POC
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //防止參數實體POC
/*以上爲修復代碼*/
Document document = saxReader.read(request.getInputStream());
例3: //JDOM2 Read XML
SAXBuilder builder = new SAXBuilder();
/*以下爲修復代碼*/
//https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
//禁用DTDs (doctypes),幾乎可以防禦所有xml實體攻擊
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //首選
//如果不能禁用DTDs,可以使用下兩項,必須兩項同時存在
builder.setFeature("http://xml.org/sax/features/external-general-entities", false); //防止外部實體POC
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //防止參數實體POC
/*以上爲修復代碼*/
Document document = builder.build(request.getInputStream());
例4: //SAX Read XML
SAXParserFactory factory = SAXParserFactory.newInstance();
/*以下爲修復代碼*/
//https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
//禁用DTDs (doctypes),幾乎可以防禦所有xml實體攻擊
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //首選
//如果不能禁用DTDs,可以使用下兩項,必須兩項同時存在
factory.setFeature("http://xml.org/sax/features/external-general-entities", false); //防止外部實體POC
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //防止參數實體POC
/*以上爲修復代碼*/
SAXParser saxparser = factory.newSAXParser();
SAXHandler handler = new SAXHandler();
saxparser.parse(request.getInputStream(), handler);