How to Prevent XML External Entity Injection on TransformerFactory

java xml xslt fortify xxe

24,146

Solution 1

TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

I think this would be sufficient.

Fortify would suggest below features but those doesn't work for TransformerFactory

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

We might need to change to a different parser to make use of them.

Solution 2

Because of lot of xml parsing engines in the market, each of it has its own mechanism to disable External entity injection. Please refer to the documentation of your engine. Below is an example to prevent it when using a SAX parser.

The funda is to disallow DOCTYPE declaration. However if it is required disabling external general entities and external parameter entities will not trick the underlying SAX parser to XXE injection.

public class MyDocumentBuilderFactory{

    public static DocumentBuilderFactory newDocumentBuilderFactory(){

        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();

        try{

            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities",false);
            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities",false);

        }catch(ParserConfigurationException exp){
            exp.printStackTrace();
        }

        return documentBuilderFactory;
    }
}

24,146

Author by

Ravi Ranjan

I am a fullstack developer.

Updated on July 10, 2020

Comments

Ravi Ranjan almost 4 years
My problem:

Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack.
```
TransformerFactory factory = TransformerFactory.newInstance();
StreamSource xslStream = new StreamSource(inputXSL);
Transformer transformer = factory.newTransformer(xslStream);
```
Solution I have tried:
1. Setting TransformerFactory feature for XMLConstants.FEATURE_SECURE_PROCESSING to true.
2. Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX parsers. e.g. disallowing doctype declaration, etc. But TransformerFactoryImpl doesn't seem to be accepting anything else that XMLConstants.FEATURE_SECURE_PROCESSING. Impl Code
Please point me to any resource that you think I might have not gone through or a possible solution to this issue.
Ravi Ranjan over 6 years

Thanks,.this is what might be required change to a different parser to make use of them. But pointing to some reliable parser might be more helpful as an answer.
user835199 over 5 years

This will throw an error java.lang.IllegalArgumentException: Unknown configuration property http://javax.xml.XMLConstants/property/accessExternalDTD if your TransformerFactory implementation does not support this feature.
astafev.evgeny about 5 years

the advice works, though I think it's important to reference OWASP recommendations as it contains some more info github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/…
Alessandro Iudicone over 4 years

This worked for me, thanks ): . Before this, I tried the solution suggested by Fortify and that didn't worked.
Hitesh over 4 years

@user835199 i also getting java.lang.IllegalArgumentException: Unknown configuration property javax.xml.XMLConstants/property/accessExternalDTD this exception.