正确配置Xerces2 Java SchemaFactory以防止XEE攻击
我试图创建一个实用方法来构建一个Xerces2 XML验证器,该验证器是现成配置的,用于处理XML外部实体(XEE)攻击。目标是建立一个集中的工厂,在一个地方负责所有配置 我目前正在这样做:正确配置Xerces2 Java SchemaFactory以防止XEE攻击,java,xml,security,dtd,xerces2-j,Java,Xml,Security,Dtd,Xerces2 J,我试图创建一个实用方法来构建一个Xerces2 XML验证器,该验证器是现成配置的,用于处理XML外部实体(XEE)攻击。目标是建立一个集中的工厂,在一个地方负责所有配置 我目前正在这样做: SchemaFactory sf = SchemaFactory.newInstance(schemaLanguage); sf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); sf.setFeature("http://apac
SchemaFactory sf = SchemaFactory.newInstance(schemaLanguage);
sf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
sf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
这个想法是禁用所有DTD(在我的例子中这是可以的)。但当我尝试以下测试时:
public static final String VALID_XML_SCHEMA
= "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<xs:schema xmlns:xs=\"http://www.w3.org/2001/XMLSchema\">"
+ " <xs:element name=\"note\"/>"
+ "</xs:schema>";
public static final String VALID_XML_DOC_WITH_EXTERNAL_GENERAL_ENTITY
= "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<!DOCTYPE note ["
+ " <!ELEMENT note ANY >"
+ " <!ENTITY space SYSTEM \"note.dtd\">"
+ "]>"
+ "<note>&space;</note>";
...
SchemaFactory factory = SecureXML.createSchemaFactory(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = factory.newSchema(new StreamSource(new ByteArrayInputStream(VALID_XML_SCHEMA.getBytes())));
Validator validator = schema.newValidator();
validator.validate(new StreamSource(new ByteArrayInputStream(VALID_XML_DOC_WITH_EXTERNAL_GENERAL_ENTITY.getBytes())));
这意味着DTD不会被忽略,因此XEE漏洞仍然存在
我已经尝试了上面列出的各种方法,但据我所知,它们都不能与Xerces2一起使用。注意,我的类路径中有Xerces2(2.12.0)和Xalan2(2.7.0)。这一点很重要,如果您在没有这些依赖项的情况下尝试我的代码,JDK将使用其默认的SchemaFactory
实现,它的行为会有所不同。我的问题是专门针对Xerces2实现的
以下是我完整的pom.xml
供参考:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.leplus.infsec</groupId>
<artifactId>xee</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>xee</name>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.2</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.12.0</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
4.0.0
org.leplus.infsec
如果有人想重现/测试问题,请使用我所有的源代码和JUnit测试用例
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.leplus.infsec</groupId>
<artifactId>xee</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>xee</name>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.2</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.12.0</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>