Java 如何解决';不正确地限制XML外部实体引用(';XXE';)';
我正在尝试修复veracode在我的web应用程序中列出的所有漏洞。我被困在这个我实际上不知道的特殊弱点上XML外部实体的不正确限制 参考'。Cal any请帮助我解释代码的问题以及我们可以解决这个问题的方法Java 如何解决';不正确地限制XML外部实体引用(';XXE';)';,java,security,xml-parsing,unmarshalling,veracode,Java,Security,Xml Parsing,Unmarshalling,Veracode,我正在尝试修复veracode在我的web应用程序中列出的所有漏洞。我被困在这个我实际上不知道的特殊弱点上XML外部实体的不正确限制 参考'。Cal any请帮助我解释代码的问题以及我们可以解决这个问题的方法 Object objec = null; try { JAXBContext jContext = JAXBContext.newInstance(context); Unmarshaller unmarshaller = jContext
Object objec = null;
try {
JAXBContext jContext = JAXBContext.newInstance(context);
Unmarshaller unmarshaller = jContext.createUnmarshaller();
InputStream inputStream = new ByteArrayInputStream(xml.getBytes());
objec = unmarshaller.unmarshal(inputStream); //Vulnerability reported in this line
} catch (JAXBException e) {
e.printStackTrace();
}
return objec;
}
这是获得解决方案的一个很好的参考: 例如,在您的示例中,您只需将这两个属性添加到
XMLInputFactory
和流读取器:
final Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// These 2 properties are the key
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
// Your stream reader for the xml string
final XMLStreamReader xmlStreamReader = xmlInputFactory
.createXMLStreamReader(new StringReader(yourXMLStringGoesHere));
final NsIgnoringXmlReader nsIgnoringXmlReader = new NsIgnoringXmlReader(xmlStreamReader);
// Done with unmarshalling the XML safely
final YourObject obj = (YourObject) unmarshaller.unmarshal(nsIgnoringXmlReader);
这将有助于Veracode扫描这是获得解决方案的良好参考: 例如,在您的示例中,您只需将这两个属性添加到
XMLInputFactory
和流读取器:
final Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// These 2 properties are the key
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
// Your stream reader for the xml string
final XMLStreamReader xmlStreamReader = xmlInputFactory
.createXMLStreamReader(new StringReader(yourXMLStringGoesHere));
final NsIgnoringXmlReader nsIgnoringXmlReader = new NsIgnoringXmlReader(xmlStreamReader);
// Done with unmarshalling the XML safely
final YourObject obj = (YourObject) unmarshaller.unmarshal(nsIgnoringXmlReader);
这将有助于Veracode扫描的可能重复