Wie XML-Injection wie XML-Bombe und XXE Angriff verhindern

ich mitWie XML-Injection wie XML-Bombe und XXE Angriff verhindern

android:minSdkVersion="14"

In dieser App benötigen, eine Android-Anwendung entwickle eine xml.For zu analysieren, die ich wie diese

einen DOM-Parser bin mit

DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); 
DocumentBuilder dBuilder = null; 
Document doc = null; 
try {  
    dBuilder = dbFactory.newDocumentBuilder(); 
} catch (ParserConfigurationException e) { 
    e.printStackTrace(); 
}

Aber wenn der Code für die Sicherheit überprüft, habe ich zwei Sicherheitsfragen auf Linie

dBuilder = dbFactory.newDocumentBuilder();, die

sind

1.xml Entity Expansion Injection (XML Bomb)

2.XML Externe Entity Injection (XXE Angriff)

Nach einiger forsch ich die Linie dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Aber jetzt habe ich bekomme eine Ausnahme, wenn diese Zeile ausgeführt wird

javax.xml.parsers.ParserConfigurationException: http://javax.xml.XMLConstants/feature/secure-processing

Kann mir jemand helfen?

Quelle

2014-10-21 Naveen Prince

Ich bekomme das gleiche Problem. Haben Sie jemals eine Lösung dafür gefunden? –

@Elliot Chance - nein –

Hat jemand von euch eine Lösung dafür gefunden? – digitizedx

Haben Sie versucht, den folgenden Ausschnitt aus OWASP page?

import javax.xml.parsers.DocumentBuilderFactory; 
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features 
... 

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); 
try { 
    // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented 
    // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl 
    String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; 
    dbf.setFeature(FEATURE, true); 

    // If you can't completely disable DTDs, then at least do the following: 
    // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities 
    // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities 
    FEATURE = "http://xml.org/sax/features/external-general-entities"; 
    dbf.setFeature(FEATURE, false); 

    // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities 
    // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities 
    FEATURE = "http://xml.org/sax/features/external-parameter-entities"; 
    dbf.setFeature(FEATURE, false); 

    // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" (see reference below) 
    dbf.setXIncludeAware(false); 
    dbf.setExpandEntityReferences(false); 

    // And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then 
    // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks 
    // (http://cwe.mitre.org/data/definitions/918.html) and denial 
    // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk." 

    // remaining parser logic 
    ... 

    catch (ParserConfigurationException e) { 
     // This should catch a failed setFeature feature 
     logger.info("ParserConfigurationException was thrown. The feature '" + 
        FEATURE + 
        "' is probably not supported by your XML processor."); 
     ... 
    } 
    catch (SAXException e) { 
     // On Apache, this should be thrown when disallowing DOCTYPE 
     logger.warning("A DOCTYPE was passed into the XML document"); 
     ... 
    } 
    catch (IOException e) { 
     // XXE that points to a file that doesn't exist 
     logger.error("IOException occurred, XXE may still possible: " + e.getMessage()); 
     ... 
    }

Quelle

2015-09-09 17:16:22 kolobok

Dies funktioniert auch nicht. Ich kann dazu keine Dokumentation finden. FEATURE_SECURE_PROCESSING muss von allen Parsern unterstützt werden ... aber keine Informationen darüber, warum Android anders handelt. –

Zeichenfolge jaxbContext = "com.fnf.dfbatch.jaxb";

JAXBContext jc = null; 
    Unmarshaller u = null; 
    String FEATURE_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities"; 
    String FEATURE_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities"; 
    try { 
     jc = JAXBContext.newInstance(jaxbContext); 
     u = jc.createUnmarshaller(); 
     /*jobsDef = (BatchJobs) u.unmarshal(DfBatchDriver.class 
       .getClassLoader().getResourceAsStream(
         DfJobManager.configFile));*/ 

     DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();   
     dbf.setFeature(FEATURE_GENERAL_ENTITIES, false);    
     dbf.setFeature(FEATURE_PARAMETER_ENTITIES, false);  
     dbf.setXIncludeAware(false); 
     dbf.setExpandEntityReferences(false); 
     DocumentBuilder db = dbf.newDocumentBuilder(); 
     Document document = db.parse(DfBatchDriver.class 
       .getClassLoader().getResourceAsStream(
         DfJobManager.configFile)); 
     jobsDef = (BatchJobs) u.unmarshal(document);

Quelle

2016-02-04 21:02:14 user3542924

Möchten Sie Ihre Antwort erklären? –

Wie XML-Injection wie XML-Bombe und XXE Angriff verhindern

Antwort

Verwandte Themen