Java Sonar如何与XMLInputFactory和woodstox库注册的实现兼容?
我试图遵守以下声纳拦截器规则: XML解析器不应容易受到XXE攻击(java:S2755) XML规范允许使用内部或外部实体 外部(文件系统/网络访问…)可能导致 机密文件披露或SSRF等漏洞 在声纳规则描述中,他们给出了一个如何遵守的示例:Java Sonar如何与XMLInputFactory和woodstox库注册的实现兼容?,java,xml,sonarqube,stax,sonarlint,Java,Xml,Sonarqube,Stax,Sonarlint,我试图遵守以下声纳拦截器规则: XML解析器不应容易受到XXE攻击(java:S2755) XML规范允许使用内部或外部实体 外部(文件系统/网络访问…)可能导致 机密文件披露或SSRF等漏洞 在声纳规则描述中,他们给出了一个如何遵守的示例: XMLInputFactory factory = XMLInputFactory.newInstance(); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); //
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant
我的问题是,在应用程序的类路径中,有两个库woodstox core asl和wstx asl,它们在/META-INF/services/javax.xml.stream.XMLInputFactory中注册自己的实现com.ctc.wstx.stax.WstxInputFactory。此实现com.ctc.wstx.stax.WstxInputFactory不支持accessExternalDTD,因此失败并显示以下错误消息:
未确认财产
'http://javax.xml.XMLConstants/property/accessExternalDTD"
我试图成功地直接创建一个新的com.sun.xml.internal.stream.XMLInputFactoryImpl()或Class.forName(“com.sun.xml.internal.stream.XMLInputFactoryImpl”).newInstance(),但它只是消除了另一个警告,即受限API上的警告
有什么好的解决办法吗
下面是一个最小的可复制示例,其解决方法如注释行所示:
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import javax.xml.XMLConstants;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.util.StreamReaderDelegate;
public class XMLReader extends StreamReaderDelegate implements AutoCloseable {
private final Reader reader;
public XMLReader(Reader reader) throws XMLStreamException, InstantiationException, IllegalAccessException, ClassNotFoundException {
this.reader = reader;
//XMLInputFactory factory = (XMLInputFactory) Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
setParent(factory.createXMLStreamReader(reader));
}
@Override
public void close() throws XMLStreamException {
try {
super.close();
reader.close();
} catch (IOException e) {
throw new XMLStreamException(e.getMessage(), e);
}
}
public static void main(String[] args) throws XMLStreamException, InstantiationException, IllegalAccessException, ClassNotFoundException {
try (XMLReader xmlReader = new XMLReader(new StringReader("</test>"))) {
}
}
}
import java.io.IOException;
导入java.io.Reader;
导入java.io.StringReader;
导入javax.xml.xmlstants;
导入javax.xml.stream.XMLInputFactory;
导入javax.xml.stream.XMLStreamException;
导入javax.xml.stream.util.StreamReaderDelegate;
公共类XMLReader扩展StreamReaderDelegate实现自动关闭{
私人最终读者;
公共XMLReader(Reader Reader)抛出XMLStreamException、InstanceionException、IllegalacessException、ClassNotFoundException{
this.reader=读取器;
//XMLInputFactory=(XMLInputFactory)Class.forName(“com.sun.xml.internal.stream.XMLInputFactoryImpl”).newInstance();
XMLInputFactory=XMLInputFactory.newInstance();
setProperty(xmlstants.ACCESS\u EXTERNAL\u DTD,“”);
setProperty(xmlstants.ACCESS_EXTERNAL_SCHEMA,“”);
setParent(factory.createXMLStreamReader(reader));
}
@凌驾
public void close()引发XMLStreamException{
试一试{
super.close();
reader.close();
}捕获(IOE异常){
抛出新的XMLStreamException(e.getMessage(),e);
}
}
公共静态void main(字符串[]args)抛出XMLStreamException、InstanceionException、IllegalAccessException、ClassNotFoundException{
try(XMLReader=newxmlreader(newstringreader(“”)){
}
}
}
您还可以在以下Maven POM文件中找到所列的依赖项:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>test-xml</groupId>
<artifactId>test-xml</artifactId>
<version>0.0.1-SNAPSHOT</version>
<build>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>wstx-asl</artifactId>
<version>3.2.8</version>
</dependency>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>woodstox-core-asl</artifactId>
<version>4.4.1</version>
</dependency>
</dependencies>
</project>
4.0.0
测试xml
测试xml
0.0.1-快照
maven编译器插件
3.8.1
1.8
1.8
org.codehaus.woodstox
wstx asl
3.2.8
org.codehaus.woodstox
woodstox core asl
4.4.1
显然,即使规则描述中没有,Sonar也会识别属性XMLInputFactory.IS_支持外部实体,这是Stax标准属性,具有相同的功能:
setProperty(XMLInputFactory.IS_支持外部实体,
假)
另见: