Java 如何解决'；不正确地限制XML外部实体引用（'；XXE'；）'；_Java_Security_Xml Parsing_Unmarshalling_Veracode

Java 如何解决'；不正确地限制XML外部实体引用（'；XXE'；）'；

java security

Java 如何解决'；不正确地限制XML外部实体引用（'；XXE'；）'；,java,security,xml-parsing,unmarshalling,veracode,Java,Security,Xml Parsing,Unmarshalling,Veracode,我正在尝试修复veracode在我的web应用程序中列出的所有漏洞。我被困在这个我实际上不知道的特殊弱点上XML外部实体的不正确限制参考'。Cal any请帮助我解释代码的问题以及我们可以解决这个问题的方法 Object objec = null; try { JAXBContext jContext = JAXBContext.newInstance(context); Unmarshaller unmarshaller = jContext

我正在尝试修复veracode在我的web应用程序中列出的所有漏洞。我被困在这个我实际上不知道的特殊弱点上XML外部实体的不正确限制参考'。Cal any请帮助我解释代码的问题以及我们可以解决这个问题的方法

    Object objec = null;

    try {
        JAXBContext jContext = JAXBContext.newInstance(context);
        Unmarshaller unmarshaller = jContext.createUnmarshaller();
        InputStream inputStream = new ByteArrayInputStream(xml.getBytes());
        objec = unmarshaller.unmarshal(inputStream);  //Vulnerability reported in this line

    } catch (JAXBException e) {
        e.printStackTrace();
    }

    return objec;
}

这是获得解决方案的一个很好的参考：

例如，在您的示例中，您只需将这两个属性添加到

XMLInputFactory

和流读取器：

        final Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
        XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
        // These 2 properties are the key
        xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
        xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
        // Your stream reader for the xml string
        final XMLStreamReader xmlStreamReader = xmlInputFactory
                .createXMLStreamReader(new StringReader(yourXMLStringGoesHere));
        final NsIgnoringXmlReader nsIgnoringXmlReader = new NsIgnoringXmlReader(xmlStreamReader);
        // Done with unmarshalling the XML safely
        final YourObject obj = (YourObject) unmarshaller.unmarshal(nsIgnoringXmlReader);

这将有助于Veracode扫描

这是获得解决方案的良好参考：

例如，在您的示例中，您只需将这两个属性添加到

XMLInputFactory

和流读取器：

        final Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
        XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
        // These 2 properties are the key
        xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
        xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
        // Your stream reader for the xml string
        final XMLStreamReader xmlStreamReader = xmlInputFactory
                .createXMLStreamReader(new StringReader(yourXMLStringGoesHere));
        final NsIgnoringXmlReader nsIgnoringXmlReader = new NsIgnoringXmlReader(xmlStreamReader);
        // Done with unmarshalling the XML safely
        final YourObject obj = (YourObject) unmarshaller.unmarshal(nsIgnoringXmlReader);

这将有助于Veracode扫描

的可能重复