XML注入之DocumentBuilder與XXE攻擊防禦

malagege included in 程式風險

2022-07-30 154 words One minute

Contents

成事源碼掃描掃到這個問題，平常很少使用 XML ，沒有深入這個東西。遇到這個錯誤不知道是什麼?
但查看原理感覺還滿嚴重，不過我照網路上解決方法再送出源掃，竟然可以通過，順便筆記紀錄一下。

參考文章:

XML注入之DocumentBuilder與XXE攻擊防禦 [ Mi1k7ea ]

Improper Restriction of XXE Ref | 亂馬客 - Re:從零開始的軟體開發生活

XXE防禦筆記_Kingkk’s Blog - MdEditor

XML External Entity Prevention - OWASP Cheat Sheet Series

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
try {
    // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all 
    // XML entity attacks are prevented
    FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    dbf.setFeature(FEATURE, true);

    // If you can't completely disable DTDs, then at least do the following
    FEATURE = "http://xml.org/sax/features/external-general-entities";
    dbf.setFeature(FEATURE, false);

    FEATURE = "http://xml.org/sax/features/external-parameter-entities";
    dbf.setFeature(FEATURE, false);

    // Disable external DTDs as well
    FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
    dbf.setFeature(FEATURE, false);

    // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
    dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
} catch (Exception e) {
	...
}
DocumentBuilder safebuilder = dbf.newDocumentBuilder();