如何保护javax.xml.transform.TransformerFactory免受xml外部攻击
我已经研究过这个问题,但是找不到任何相关的信息 我们是否需要采取任何安全措施来保护javax.xml.transform.Transformer免受xml外部实体攻击 我做了以下操作,它似乎扩展了dtd如何保护javax.xml.transform.TransformerFactory免受xml外部攻击,java,xml,security,Java,Xml,Security,我已经研究过这个问题,但是找不到任何相关的信息 我们是否需要采取任何安全措施来保护javax.xml.transform.Transformer免受xml外部实体攻击 我做了以下操作,它似乎扩展了dtd String fileData = "<!DOCTYPE acunetix [ <!ENTITY sampleVal SYSTEM \"file:///media/sample\">]><username>&sampleVal;</userna
String fileData = "<!DOCTYPE acunetix [ <!ENTITY sampleVal SYSTEM \"file:///media/sample\">]><username>&sampleVal;</username>";
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = transformerFactory.newTransformer();
StringWriter buff = new StringWriter();
transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
transformer.transform(new StreamSource(new StringReader(fileData)), new StreamResult(buff));
System.out.println(buff.toString());
String fileData=“&sampleVal;”;
TransformerFactory TransformerFactory=TransformerFactory.newInstance();
transformerFactory.setFeature(xmlstants.FEATURE\u SECURE\u PROCESSING,true);
Transformer Transformer=transformerFactory.newTransformer();
StringWriter buff=新StringWriter();
setOutputProperty(OutputKeys.OMIT_XML_声明,“yes”);
transform(新StreamSource(新StringReader(fileData)),新StreamResult(buff));
System.out.println(buff.toString());
输出包含文件中的值
<username>test</username>
测试
您的代码似乎正确。当我运行这个稍微修改过的JUnit测试用例时:
@Test
public void test() throws TransformerException, URISyntaxException {
File testFile = new File(getClass().getResource("test.txt").toURI());
assertTrue(testFile.exists());
String fileData = "<!DOCTYPE acunetix [ <!ENTITY foo SYSTEM \"file://" +
testFile.toString() +
"\">]><xxe>&foo;</xxe>";
TransformerFactory transformerFactory = TransformerFactory.newInstance();
System.out.println(transformerFactory.getClass().getName());
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = transformerFactory.newTransformer();
StringWriter buff = new StringWriter();
transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
transformer.transform(new StreamSource(new StringReader(fileData)), new StreamResult(buff));
assertEquals("<xxe>&foo;</xxe>", buff.toString());
}
从设置功能中
:
所有实现都需要支持XMLConstants.FEATURE\u SECURE\u处理功能。当功能为:
- true:实现将限制XML处理以符合实现限制,并以实现定义的安全方式进行操作。示例包括解析用户定义的样式表和函数。如果XML处理因安全原因受到限制,则将通过调用已注册的ErrorListener.fatalError(TransformerException异常)来报告。请参阅setErrorListener(ErrorListener listener)
transformerFactory.setFeature(xmlcontents.FEATURE\u SECURE\u PROCESSING,true),这个错误就会消失代码>,然后测试失败,因为实体已解析
尝试将ErrorListener添加到TransformerFactory和Transformer:
transformerFactory.setErrorListener(new ErrorListener() {
@Override
public void warning(TransformerException exception) throws TransformerException {
System.out.println("In Warning: " + exception.toString());
}
@Override
public void error(TransformerException exception) throws TransformerException {
System.out.println("In Error: " + exception.toString());
}
@Override
public void fatalError(TransformerException exception) throws TransformerException {
System.out.println("In Fatal: " + exception.toString());
}
});
Transformer transformer = transformerFactory.newTransformer();
transformer.setErrorListener(transformerFactory.getErrorListener());
我现在看到以下新的控制台输出:
In Error: javax.xml.transform.TransformerException: External Entity: Failed to read external document 'test.txt', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.
也许您的实现将其视为警告?否则,可能是您正在使用的实现?看起来JavaDoc规范并不精确,所以一个实现可能会做一些不同于另一个的事情。我很想知道错误的实现
In Error: javax.xml.transform.TransformerException: External Entity: Failed to read external document 'test.txt', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.