Sonar: 禁用 XML 外部实体(XXE)处理

huangapple go评论143阅读模式
英文:

Sonar: Disable XML external entity (XXE) processing

问题

我正在使用javax.xml.validation.Validator来验证我的xml,如下所示:

        private final Validator validator;
        ...

        SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
        factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
        Schema schema = factory.newSchema(new File(getResource(path)));
        validator = schema.newValidator();
        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

有任何想法为什么Sonar指出这段代码不合规吗?

英文:

I am using javax.xml.validation.Validator to validate my xml as below

        private final Validator validator;
        ...

        SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
        factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
        Schema schema = factory.newSchema(new File(getResource(path)));
        validator = schema.newValidator();
        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

Any idea why sonar says this code is noncompliant?

答案1

得分: 4

你需要将 XMLConstants.ACCESS_EXTERNAL_DTDXMLConstants.ACCESS_EXTERNAL_SCHEMA 设置为 ""。

以下代码将不会在 SonarLint 和 SonarQube 中产生任何违规行为。

private Validator validator;
...

SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema(new File(getResource(path)));
validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

然后,在验证时阻止外部实体。例如,如果您正在使用 STAX 解析器,请将 XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIESXMLInputFactory.SUPPORT_DTD 设置为 False

XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
validator.validate(new StAXSource(factory.createXMLStreamReader(inputStream)));

如果您正在使用 SonarLint,则通过删除项目的目标文件夹来清除缓存。

有关更多信息,请参考:
https://rules.sonarsource.com/java/RSPEC-2755

英文:

You have to set XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants.ACCESS_EXTERNAL_SCHEMA to "".

Below code will not give any violation with SonarLint and SonarQube.

private Validator validator;
...
    
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema(new File(getResource(path)));
validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

Then, Block external entities where you are validating it.
For example, If you are using STAX parser. Then set XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES and XMLInputFactory.SUPPORT_DTD to False.

XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
validator.validate(new StAXSource(factory.createXMLStreamReader(inputStream)));

If you are using sonarLint then clean your caches by deleting target folder of the project.

For more info:
https://rules.sonarsource.com/java/RSPEC-2755

huangapple
  • 本文由 发表于 2020年8月20日 16:26:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/63501145.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定