英文:
Sonar: Disable XML external entity (XXE) processing
问题
我正在使用javax.xml.validation.Validator来验证我的xml,如下所示:
private final Validator validator;
...
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
Schema schema = factory.newSchema(new File(getResource(path)));
validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
有任何想法为什么Sonar指出这段代码不合规吗?
英文:
I am using javax.xml.validation.Validator to validate my xml as below
private final Validator validator;
...
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
Schema schema = factory.newSchema(new File(getResource(path)));
validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
Any idea why sonar says this code is noncompliant?
答案1
得分: 4
你需要将 XMLConstants.ACCESS_EXTERNAL_DTD 和 XMLConstants.ACCESS_EXTERNAL_SCHEMA 设置为 ""。
以下代码将不会在 SonarLint 和 SonarQube 中产生任何违规行为。
private Validator validator;
...
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema(new File(getResource(path)));
validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
然后,在验证时阻止外部实体。例如,如果您正在使用 STAX 解析器,请将 XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES 和 XMLInputFactory.SUPPORT_DTD 设置为 False。
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
validator.validate(new StAXSource(factory.createXMLStreamReader(inputStream)));
如果您正在使用 SonarLint,则通过删除项目的目标文件夹来清除缓存。
有关更多信息,请参考:
https://rules.sonarsource.com/java/RSPEC-2755
英文:
You have to set XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants.ACCESS_EXTERNAL_SCHEMA to "".
Below code will not give any violation with SonarLint and SonarQube.
private Validator validator;
...
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema(new File(getResource(path)));
validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
Then, Block external entities where you are validating it.
For example, If you are using STAX parser. Then set XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES and XMLInputFactory.SUPPORT_DTD to False.
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
validator.validate(new StAXSource(factory.createXMLStreamReader(inputStream)));
If you are using sonarLint then clean your caches by deleting target folder of the project.
For more info:
https://rules.sonarsource.com/java/RSPEC-2755
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论