XML文件的解析与XXE防护

DOM 

DOM的全称是Document Object Model，也即文档对象模型。在应用程序中，基于DOM的XML分析器将一个XML文档转换成一个对象模型的集合（通常称DOM树），应用程序正是通过对这个对象模型的操作，来实现对XML文档数据的操作。

import javax.xml.parsers.DocumentBuilderFactory;

import javax.xml.parsers.ParserConfigurationException; // catching unsupported features

...

    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

    String FEATURE = null;

    try {

      // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented

      // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl

      FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";

      dbf.setFeature(FEATURE, true);

      // If you can't completely disable DTDs, then at least do the following:

      // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities

      // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities

      // JDK7+ - http://xml.org/sax/features/external-general-entities   

      FEATURE = "http://xml.org/sax/features/external-general-entities";

      dbf.setFeature(FEATURE, false);

      // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities

      // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities

      // JDK7+ - http://xml.org/sax/features/external-parameter-entities   

      FEATURE = "http://xml.org/sax/features/external-parameter-entities";

      dbf.setFeature(FEATURE, false);

      // Disable external DTDs as well

      FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";

      dbf.setFeature(FEATURE, false);

      // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"

      dbf.setXIncludeAware(false);

      dbf.setExpandEntityReferences(false);

      // And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then

      // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks

      // (http://cwe.mitre.org/data/definitions/918.html) and denial

      // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."

      // remaining parser logic

      ...

      } catch (ParserConfigurationException e) {

            // This should catch a failed setFeature feature

            logger.info("ParserConfigurationException was thrown. The feature '" +

                FEATURE + "' is probably not supported by your XML processor.");

            ...

        }

        catch (SAXException e) {

            // On Apache, this should be thrown when disallowing DOCTYPE

            logger.warning("A DOCTYPE was passed into the XML document");

            ...

        }

        catch (IOException e) {

            // XXE that points to a file that doesn't exist

            logger.error("IOException occurred, XXE may still possible: " + e.getMessage());

            ...

        }

      DocumentBuilder safebuilder = dbf.newDocumentBuilder();

Note: The above defenses require Java 7 update 67, Java 8 update 20, or above, because the above countermeasures for DocumentBuilderFactory and SAXParserFactory are broken in earlier Java versions, per: CVE-2014-6517.

XMLInputFactory (a StAX parser)

StAX parsers such as XMLInputFactory allow various properties and features to be set.

To protect a Java XMLInputFactory from XXE, do this:

xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // This disables DTDs entirely for that factory

xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false); // disable external entities

TransformerFactory

To protect a javax.xml.transform.TransformerFactory from XXE, do this:

TransformerFactory tf = TransformerFactory.newInstance();

tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");

tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Validator

To protect a javax.xml.validation.Validator from XXE, do this:

SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");Schema schema = factory.newSchema();Validator validator = schema.newValidator();validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

SchemaFactory

To protect a javax.xml.validation.SchemaFactory from XXE, do this:

SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");Schema schema = factory.newSchema(Source);

SAXTransformerFactory

To protect a javax.xml.transform.sax.SAXTransformerFactory from XXE, do this:

SAXTransformerFactory sf = SAXTransformerFactory.newInstance();

sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");

sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

sf.newXMLFilter(Source);

Note: Use of the following XMLConstants requires JAXP 1.5, which was added to Java in 7u40 and Java 8:

javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD

javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA

javax.xml.XMLConstants.ACCESS_EXTERNAL_STYLESHEET

XMLReader

To protect a Java org.xml.sax.XMLReader from XXE, do this:

XMLReader reader = XMLReaderFactory.createXMLReader();reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); // This may not be strictly required as DTDs shouldn't be allowed at all, per previous line.reader.setFeature("http://xml.org/sax/features/external-general-entities", false);reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

SAXReader

To protect a Java org.dom4j.io.SAXReader from XXE, do this:

saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Based on testing, if you are missing one of these, you can still be vulnerable to an XXE attack.

SAXBuilder

To protect a Java org.jdom2.input.SAXBuilder from XXE, do this:

SAXBuilder builder = new SAXBuilder();builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);builder.setFeature("http://xml.org/sax/features/external-general-entities", false);builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);Document doc = builder.build(new File(fileName));

SAX 

SAX的全称是Simple APIs for XML，也即XML简单应用程序接口。与DOM不同，SAX提供的访问模式是一种顺序模式，这是一种快速读写XML数据的方式。当使用SAX分析器对XML文档进行分析时，会触发一系列事件，并激活相应的事件处理函数，应用程序通过这些事件处理函数实现对XML文档的访问，因而SAX接口也被称作事件驱动接口。

防护参考以上:

官网链接:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J