如何防止在TransformerFactory上进行XML外部实体注入 [英] How to Prevent XML External Entity Injection on TransformerFactory
问题描述
我的问题:
Fortify 4.2.1将以下代码标记为容易受到XML外部实体攻击.
Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack.
TransformerFactory factory = TransformerFactory.newInstance();
StreamSource xslStream = new StreamSource(inputXSL);
Transformer transformer = factory.newTransformer(xslStream);
我尝试过的解决方案:
-
将
XMLConstants.FEATURE_SECURE_PROCESSING的TransformerFactory功能设置为true.
Setting TransformerFactory feature for
XMLConstants.FEATURE_SECURE_PROCESSINGto true.
可以为TransformerFactory提供更多此类功能,就像我们对DOM和SAX解析器所做的一样.例如不允许doctype声明等.但是TransformerFactoryImpl似乎不接受XMLConstants.FEATURE_SECURE_PROCESSING之外的任何其他内容.
Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX parsers. e.g. disallowing doctype declaration, etc. But TransformerFactoryImpl doesn't seem to be accepting anything else that XMLConstants.FEATURE_SECURE_PROCESSING. Impl Code
请向我指出您认为我可能没有使用过的任何资源,或针对此问题的可能解决方案.
Please point me to any resource that you think I might have not gone through or a possible solution to this issue.
推荐答案
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
我认为这就足够了.
Fortify会建议以下功能,但不适用于TransformerFactory
Fortify would suggest below features but those doesn't work for TransformerFactory
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
我们可能需要更改为其他解析器才能使用它们.
We might need to change to a different parser to make use of them.
这篇关于如何防止在TransformerFactory上进行XML外部实体注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
