TransformerFactory仍然容易受到XXE攻击的威胁。

huangapple go评论73阅读模式
英文:

TransformerFactory still vulnerable to XXE attacks

问题

我已经设置FEATURE_SECURE_PROCESSING为true的方法如下。

public String getString(org.w3c.dom.Node node) throws TransformerException {
    StringWriter writer = new StringWriter();
    TransformerFactory transformerFactory = TransformerFactory.newInstance();
    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

    Transformer transformer = transformerFactory.newTransformer();
    transformer.transform(new DOMSource(node), new StreamResult(writer));

    return writer.toString();
}

当我运行下面的单元测试时,我可以列出项目目录下的文件,这意味着它容易受到XXE攻击。

@Test
public void test() throws Exception {
    String dir = new File("").getAbsolutePath();
    String xml =
            "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
            "<!DOCTYPE test[" +
            "<!ENTITY problemEntity SYSTEM \"" + dir + "\">" +
            "]>" +
            "<Response>" +
            "&problemEntity;" +
            "</Response>";

    org.w3c.dom.Element node = DocumentBuilderFactory
            .newInstance()
            .newDocumentBuilder()
            .parse(new ByteArrayInputStream(xml.getBytes()))
            .getDocumentElement();

    String name = getString(node);
    System.out.println(name);
}

如何保护TransformerFactory以防止此类攻击?

英文:

I have a method like below. I've set the FEATURE_SECURE_PROCESSING to true.

    public String getString(org.w3c.dom.Node node) throws TransformerException {
        StringWriter writer = new StringWriter();
        TransformerFactory transformerFactory = TransformerFactory.newInstance();
        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

        Transformer transformer = transformerFactory.newTransformer();
        transformer.transform(new DOMSource(node), new StreamResult(writer));

        return writer.toString();
    }

When I run my unit test below, I can list the files under project directory, meaning it is vulnerable to XXE attacks.

    @Test
    public void test() throws Exception {
        String dir = new File(&quot;&quot;).getAbsolutePath();
        String xml =
                &quot;&lt;?xml version=\&quot;1.0\&quot; encoding=\&quot;UTF-8\&quot;?&gt;\n&quot; +
                        &quot;&lt;!DOCTYPE test[&quot; +
                        &quot;&lt;!ENTITY problemEntity SYSTEM \&quot;&quot; + dir + &quot;\&quot;&gt;&quot; +
                        &quot;]&gt;&quot; +
                        &quot;&lt;Response&gt;&quot; +
                        &quot;&amp;problemEntity;&quot; +
                        &quot;&lt;/Response&gt;&quot;;

        org.w3c.dom.Element node = DocumentBuilderFactory
                .newInstance()
                .newDocumentBuilder()
                .parse(new ByteArrayInputStream(xml.getBytes()))
                .getDocumentElement();

        String name = getString(node);
        System.out.println(name);
    }

How can I secure the TransformerFactory to such attacks?

答案1

得分: 1

你正在向TransformerFactory提供一个DOMSource,因此在TransformerFactory存在之前已经处理了DTD。你需要在解析XML文档时应用任何控制,这是在创建DOM节点时发生的。

英文:

You're supplying a DOMSource to the TransformerFactory, so the DTD was processed before the TransformerFactory came into existence. You need to apply any controls at the point the XML document is parsed, which is when the DOM Node gets created.

huangapple
  • 本文由 发表于 2020年8月7日 06:19:18
  • 转载请务必保留本文链接:https://go.coder-hub.com/63292534.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定