From 1bf4439ec8d4a1085754212de9d80a8e3baa9de6 Mon Sep 17 00:00:00 2001 From: "pixee-standardchartered[bot]" <192133916+pixee-standardchartered[bot]@users.noreply.github.com> Date: Sun, 6 Apr 2025 03:01:56 +0000 Subject: [PATCH] (Sonar) Fixed finding: "XML parsers should not be vulnerable to XXE attacks" --- src/main/java/com/acme/xxe/XXEVuln.java | 9 ++++++++- src/main/java/com/acme/xxe/XXEVulnFixed.java | 1 + 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/acme/xxe/XXEVuln.java b/src/main/java/com/acme/xxe/XXEVuln.java index 33cf399..feb607b 100644 --- a/src/main/java/com/acme/xxe/XXEVuln.java +++ b/src/main/java/com/acme/xxe/XXEVuln.java @@ -1,5 +1,6 @@ package com.acme.xxe; +import javax.xml.XMLConstants; import org.w3c.dom.Document; import org.xml.sax.InputSource; import org.xml.sax.SAXException; @@ -33,6 +34,7 @@ public static void main(String[] args) public static String docToString(final Document poDocument) throws TransformerException { TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); Transformer transformer = transformerFactory.newTransformer(); DOMSource domSrc = new DOMSource(poDocument); StringWriter sw = new StringWriter(); @@ -44,6 +46,8 @@ public static String docToString(final Document poDocument) throws TransformerEx public static void saxTransformer(String xml) throws ParserConfigurationException, SAXException, IOException { SAXParserFactory spf = SAXParserFactory.newInstance(); + spf.setFeature("http://xml.org/sax/features/external-general-entities", false); + spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setValidating(true); SAXParser saxParser = spf.newSAXParser(); @@ -54,6 +58,8 @@ public static void saxTransformer(String xml) public static Document withDom(String xml) throws ParserConfigurationException, IOException, SAXException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); DocumentBuilder db = dbf.newDocumentBuilder(); return db.parse(new InputSource(new StringReader(xml))); } @@ -61,7 +67,8 @@ public static Document withDom(String xml) public static Document withDomButDisabled(String xml) throws ParserConfigurationException, IOException, SAXException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setExpandEntityReferences(true); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); DocumentBuilder db = dbf.newDocumentBuilder(); return db.parse(new InputSource(new StringReader(xml))); } diff --git a/src/main/java/com/acme/xxe/XXEVulnFixed.java b/src/main/java/com/acme/xxe/XXEVulnFixed.java index 421b1ce..b8e0c92 100644 --- a/src/main/java/com/acme/xxe/XXEVulnFixed.java +++ b/src/main/java/com/acme/xxe/XXEVulnFixed.java @@ -35,6 +35,7 @@ public static void main(String[] args) public static String docToString(final Document poDocument) throws TransformerException { TransformerFactory transformerFactory = TransformerFactory.newInstance(); transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); Transformer transformer = transformerFactory.newTransformer(); DOMSource domSrc = new DOMSource(poDocument); StringWriter sw = new StringWriter();