forked from wooyunwang/Fortify
-
Notifications
You must be signed in to change notification settings - Fork 0
/
XML外部实体注入
29 lines (29 loc) · 1.61 KB
/
XML外部实体注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
应对 XML 解析器进行安全配置,使它不允许将外部实体包含在传入的 XML 文档中。
为了避免 XXE injections,应为 XML 代理、解析器或读取器设置下面的属性:
<pre>
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
</pre>
如果不需要 inline DOCTYPE 声明,可使用以下属性将其完全禁用:
<pre>
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
</pre>
要保护 TransformerFactory,应设置下列属性:
<pre>
TransformerFactory transFact = TransformerFactory.newInstance();
transFact.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
Transformer trans = transFact.newTransformer(xsltSource);
trans.transform(xmlSource, result);
</pre>
或者,也可以使用安全配置的 XMLReader 来设置转换源:
<pre>
XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Source xmlSource = new SAXSource(reader, new InputSource(new FileInputStream(xmlFile)));
Source xsltSource = new SAXSource(reader, new InputSource(new FileInputStream(xsltFile)));
Result result = new StreamResult(System.out);
TransformerFactory transFact = TransformerFactory.newInstance();
Transformer trans = transFact.newTransformer(xsltSource);
trans.transform(xmlSource, result);
</pre>