gpt4 book ai didi

java - 如何防止 XML 注入(inject),如 XML 炸弹和 XXE 攻击

转载 作者:塔克拉玛干 更新时间:2023-11-02 23:14:35 25 4
gpt4 key购买 nike

我正在开发一个安卓应用

android:minSdkVersion="14"

在这个需要解析 xml 的应用程序中。为此,我正在使用这样的 DOM 解析器

DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder dBuilder = null;
Document doc = null;
try {
dBuilder = dbFactory.newDocumentBuilder();
} catch (ParserConfigurationException e) {
e.printStackTrace();
}

但是当检查代码的安全性时,我在线上遇到了两个安全问题

dBuilder = dbFactory.newDocumentBuilder();,它们是

1.XML Entity Expansion Injection (XML Bomb)

2.XML External Entity Injection (XXE attack)

经过一些研究,我添加了这一行dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

但是现在执行这一行时出现异常

javax.xml.parsers.ParserConfigurationException: http://javax.xml.XMLConstants/feature/secure-processing

谁能帮帮我?

最佳答案

您是否尝试过 OWASP page 中的以下代码 fragment ? ?

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
...

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
try {
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);

// If you can't completely disable DTDs, then at least do the following:
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);

// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);

// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" (see reference below)
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then
// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks
// (http://cwe.mitre.org/data/definitions/918.html) and denial
// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."

// remaining parser logic
...

catch (ParserConfigurationException e) {
// This should catch a failed setFeature feature
logger.info("ParserConfigurationException was thrown. The feature '" +
FEATURE +
"' is probably not supported by your XML processor.");
...
}
catch (SAXException e) {
// On Apache, this should be thrown when disallowing DOCTYPE
logger.warning("A DOCTYPE was passed into the XML document");
...
}
catch (IOException e) {
// XXE that points to a file that doesn't exist
logger.error("IOException occurred, XXE may still possible: " + e.getMessage());
...
}

关于java - 如何防止 XML 注入(inject),如 XML 炸弹和 XXE 攻击,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26488319/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com