gpt4 book ai didi

java - 如何保护 javax.xml.transform.TransformerFactory 免受 XML 外部攻击

转载 作者:塔克拉玛干 更新时间:2023-11-03 04:29:54 27 4
gpt4 key购买 nike

我已经研究过这个主题,但找不到任何相关信息

我们是否需要采取任何安全措施来保护 javax.xml.transform.Transformer 免受 XML 外部实体攻击?

我做了以下,它似乎扩展了 dtd。

String fileData = "<!DOCTYPE acunetix [  <!ENTITY sampleVal SYSTEM \"file:///media/sample\">]><username>&sampleVal;</username>";
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = transformerFactory.newTransformer();
StringWriter buff = new StringWriter();
transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
transformer.transform(new StreamSource(new StringReader(fileData)), new StreamResult(buff));
System.out.println(buff.toString());

输出包含文件中的值

<username>test</username>

最佳答案

您的代码似乎是正确的。当我运行这个稍微修改过的 JUnit 测试用例时:

@Test
public void test() throws TransformerException, URISyntaxException {
File testFile = new File(getClass().getResource("test.txt").toURI());
assertTrue(testFile.exists());
String fileData = "<!DOCTYPE acunetix [ <!ENTITY foo SYSTEM \"file://" +
testFile.toString() +
"\">]><xxe>&foo;</xxe>";
TransformerFactory transformerFactory = TransformerFactory.newInstance();
System.out.println(transformerFactory.getClass().getName());
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = transformerFactory.newTransformer();
StringWriter buff = new StringWriter();
transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
transformer.transform(new StreamSource(new StringReader(fileData)), new StreamResult(buff));
assertEquals("<xxe>&foo;</xxe>", buff.toString());
}

我得到以下输出:

com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
[Fatal Error] :1:182: External Entity: Failed to read external document 'test.txt', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.
ERROR: 'External Entity: Failed to read external document 'test.txt', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.'

来自 setFeature JavaDocs :

All implementations are required to support the XMLConstants.FEATURE_SECURE_PROCESSING feature. When the feature is:

  • true: the implementation will limit XML processing to conform to implementation limits and behave in a secure fashion as defined by the implementation. Examples include resolving user defined style sheets and functions. If XML processing is limited for security reasons, it will be reported via a call to the registered ErrorListener.fatalError(TransformerException exception). See setErrorListener(ErrorListener listener).

如果我注释掉 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);,那么该错误就会消失,然后测试将失败,因为实体已解析。

尝试向 TransformerFactory 和 Transformer 添加一个 ErrorListener:

transformerFactory.setErrorListener(new ErrorListener() {

@Override
public void warning(TransformerException exception) throws TransformerException {
System.out.println("In Warning: " + exception.toString());
}

@Override
public void error(TransformerException exception) throws TransformerException {
System.out.println("In Error: " + exception.toString());
}

@Override
public void fatalError(TransformerException exception) throws TransformerException {
System.out.println("In Fatal: " + exception.toString());
}
});

Transformer transformer = transformerFactory.newTransformer();
transformer.setErrorListener(transformerFactory.getErrorListener());

我现在看到以下新的控制台输出:

In Error: javax.xml.transform.TransformerException: External Entity: Failed to read external document 'test.txt', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.

也许您的实现将其视为警告?否则,也许这是您正在使用的实现?看起来 JavaDoc 规范并不精确,因此一种实现可能会做一些与另一种不同的事情。我很想知道错误的实现!

关于java - 如何保护 javax.xml.transform.TransformerFactory 免受 XML 外部攻击,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32086062/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com