关于XML解析存在的安全问题指引

最近一段时间被曝出的微信支付的XML解析存在的安全问题，主要问题是XML外部实体注入漏洞(XML External Entity Injection，简称 XXE)，该安全问题是由XML组件默认没有禁用外部实体引用导致，非微信支付系统存在漏洞。微信官方做了回应，原文地址：https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5
如果你在使用支付业务回调通知中，存在以下场景有使用XML解析的情况，需要检查是否对进行了防范。

• 场景1：支付成功通知
• 场景2：退款成功通知
• 场景3：委托代扣签约、解约、扣款通知
• 场景4：车主解约通知
  场景5：扫码支付模式一回调

微信官方的SDK已经升级，其中相关代码做了防范，如下：

package com.github.wxpay.sdk;

import org.w3c.dom.Document;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;

/**
 * 2018/7/3
 */
public final class WXPayXmlUtil {
    public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
        documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        documentBuilderFactory.setXIncludeAware(false);
        documentBuilderFactory.setExpandEntityReferences(false);

        return documentBuilderFactory.newDocumentBuilder();
    }

    public static Document newDocument() throws ParserConfigurationException {
        return newDocumentBuilder().newDocument();
    }
}

如果您不是使用官方的SDK，而是自己解析的，可以参考下面的代码：

package com.jianggujin.magicpay.util;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.TransformerFactory;

import org.w3c.dom.Document;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;

/**
 * XML工具
 * 
 * @author jianggujin
 *
 */
public class JXMLUtils {
   private final static String FRATURE_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
   private final static String FRATURE_EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
   private final static String FRATURE_EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
   private final static String FRATURE_LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";

   public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
      DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
      documentBuilderFactory.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
      documentBuilderFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
      documentBuilderFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
      documentBuilderFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
      // documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
      // true);
      documentBuilderFactory.setXIncludeAware(false);
      documentBuilderFactory.setExpandEntityReferences(false);
      return documentBuilderFactory.newDocumentBuilder();
   }

   public static Document newDocument() throws ParserConfigurationException {
      return newDocumentBuilder().newDocument();
   }

   public static SAXParserFactory newSAXParserFactory() throws ParserConfigurationException, SAXException {
      SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
      saxParserFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
      saxParserFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
      saxParserFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
      return saxParserFactory;
   }

   public static SAXParser newSAXParser() throws ParserConfigurationException, SAXException {
      return newSAXParserFactory().newSAXParser();
   }

   public static XMLReader newXMLReader() throws SAXException {
      XMLReader reader = XMLReaderFactory.createXMLReader();
      reader.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
      // This may not be strictly required as DTDs shouldn't be allowed at all,
      // per previous line.
      reader.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
      reader.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
      reader.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
      return reader;
   }

   public static TransformerFactory newTransformerFactory() {
      TransformerFactory transformerFactory = TransformerFactory.newInstance();
      transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
      transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
      return transformerFactory;
   }

   public static XMLInputFactory newXMLInputFactory() {
      XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
      // This disables DTDs entirely for that factory
      xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
      // disable external entities
      xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
      return xmlInputFactory;
   }
}

dom4j

saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

jdom

SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Document doc = builder.build(new File(fileName));

更多解决方案请参考：https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B