XML parser configured does not prevent nor limit external entities resolution

XML parser configured does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack

We had a security audit on our code, and it mentioned that our code is vulnerable to XML EXternal Entity (XXE) attacks.

Explanation

XML External Entities attacks benefit from an XML feature to build documents dynamically at the time of processing. An XML entity allows inclusion of data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote system. This behavior exposes the application to XML External Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.

The following XML document shows an example of an XXE attack.

]>&xxe;

This example could crash the server (on a UNIX system), if the XML parser attempts to substitute the entity with the contents of the /dev/random file.

 解决方案：

public class TEST {
    // 不允许输入的XML文档包含外部实体，
    // 设置"external-general-entities"和"external-parameter-entities"为false。 
    // 正确用例: 
    public static void read2() throws Exception {
        SAXParserFactory factory = SAXParserFactory.newInstance();  
        // 完全禁用DTD  
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);    
        SAXParser parser = factory.newSAXParser();  
        File f = new File("demo.xml");  
        InputStream in = new FileInputStream(f);  
        parser.parse(in, new MyHandler()); 
    }
}