Strengthen the fix for XML Injection Entity Injection

Question

Strengthen the fix for XML Injection Entity Injection

When I scan using the fortify tool, I had some problems in the section "Embedding the XML of an external object".

TransformerFactory trfactory = TransformerFactory.newInstance();

This is the place where the error is displayed. I gave the following fix suggested by fortify

 trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false); trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

but still the problems are not resolved. How to fix this problem?

+5

java fortify xxe

veera Jul 07 '16 at 13:49

source share

4 answers

Kondal kolipaka · Answer 1 · 2017-08-04T09:48:24+0000

 TransformerFactory trfactory = TransformerFactory.newInstance(); trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

That would be enough.

veera · Answer 2 · 2016-07-14T15:43:50+0000

I tried using the implementation class "Xalan" instead of TransformerFactory.newInstance (). It worked for me, and the fix was fixed.

  TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl(); Transformer transformer = transformerFactoryImpl.newTransformer();

prathamesh · Answer 3 · 2016-09-17T10:45:02+0000

Sometimes it will not work if the java version is incompatible.

 if (javaVersion > 1.6) { dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); } else { if (javaVersion > 1.5) { dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false); dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false); } else { dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-general-entities", false); dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false); } }

This worked for me :-)

Ben wong · Answer 4 · 2016-09-23T10:46:25+0000

You can also try:

  TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl(); Transformer transformer = transformerFactoryImpl.newTransformer(); transformer.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Strengthen the fix for XML Injection Entity Injection

More articles: