Veracode XML外部实体参考(XXE) [英] Veracode XML External Entity Reference (XXE)

问题描述

我在veracode报告中得到了下一个发现: XML外部实体引用('XXE')的不当限制(CWE ID 611) 引用下面的代码

I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow

...

  DocumentBuilderFactory dbf=null;      
  DocumentBuilder db = null;    
  try {         
        dbf=DocumentBuilderFactory.newInstance();  
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 
        dbf.setExpandEntityReferences(false); 
        dbf.setXIncludeAware(false);        
        dbf.setValidating(false); 
        dbf.newDocumentBuilder();   
        InputStream stream = new ByteArrayInputStream(datosXml.getBytes());
        Document doc = db.parse(stream, "");            

...

我一直在研究，但是我还没有找到这个发现的原因或使它消失的方法. 你能告诉我怎么做吗?

I've been researching but I haven't found out a reason for this finding or a way of making it disappear. Could you tell me how to do it?

推荐答案

您是否看到过有关XXE的OWASP指南?

您没有禁用应禁用的3个功能.最重要的是第一个:

You are not disabling the 3 features you should disable. Most importantly the first one:

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

这篇关于Veracode XML外部实体参考(XXE)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！