12

My problem:

Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack.

TransformerFactory factory = TransformerFactory.newInstance();
StreamSource xslStream = new StreamSource(inputXSL);
Transformer transformer = factory.newTransformer(xslStream);

Solution I have tried:

  1. Setting TransformerFactory feature for XMLConstants.FEATURE_SECURE_PROCESSING to true.

  2. Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX parsers. e.g. disallowing doctype declaration, etc. But TransformerFactoryImpl doesn't seem to be accepting anything else that XMLConstants.FEATURE_SECURE_PROCESSING. Impl Code

Please point me to any resource that you think I might have not gone through or a possible solution to this issue.

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Ravi Ranjan
  • 740
  • 2
  • 10
  • 31
  • I am not familiar with Fortify but you say that for SAX parsers you know how to satisfy Fortify's requirements, in that case I wonder whether providing a SAXSource instead of a StreamSource, where you set all required features on the SAX parser, works. – Martin Honnen Aug 24 '15 at 09:43
  • @MartinHonnen Thanks, let me try this and will get back. – Ravi Ranjan Aug 24 '15 at 11:06
  • @RaviRanjan I've same sor of issue. Did you able to resolve your issue? – Thusitha Thilina Dayaratne Sep 17 '15 at 09:29
  • 1
    @ThusithaThilinaDayaratne i struggled to get a concrete solution for this, so i only set XMLConstants.FEATURE_SECURE_PROCESSING on the TransformerFactory class. Additionaly i can point to to xalan and javas own implementation of TrasnformerFactoryImpl implementation class to research more for any solution for your problem. Please do share your findings if you are able to go through. – Ravi Ranjan Sep 21 '15 at 07:16
  • I am also facing similar issue Please let me know if any solution am using java 1.6 – Laxminarayana Challagonda Jan 10 '17 at 13:28
  • https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j – firstpostcommenter Oct 24 '22 at 11:25

2 Answers2

14
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

I think this would be sufficient.

Fortify would suggest below features but those doesn't work for TransformerFactory

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

We might need to change to a different parser to make use of them.

user871611
  • 3,307
  • 7
  • 51
  • 73
Kondal Kolipaka
  • 3,471
  • 22
  • 28
  • Thanks,.this is what might be required `change to a different parser to make use of them.` But pointing to some reliable parser might be more helpful as an answer. – Ravi Ranjan Aug 22 '17 at 05:03
  • 5
    This will throw an error `java.lang.IllegalArgumentException: Unknown configuration property http://javax.xml.XMLConstants/property/accessExternalDTD` if your TransformerFactory implementation does not support this feature. – user835199 Nov 01 '18 at 12:15
  • This worked for me, thanks ): . Before this, I tried the solution suggested by Fortify and that didn't worked. – Alessandro Iudicone Aug 21 '19 at 11:47
  • @user835199 i also getting java.lang.IllegalArgumentException: Unknown configuration property http://javax.xml.XMLConstants/property/accessExternalDTD this exception. – Hitesh Dec 06 '19 at 17:22
5

Because of lot of xml parsing engines in the market, each of it has its own mechanism to disable External entity injection. Please refer to the documentation of your engine. Below is an example to prevent it when using a SAX parser.

The funda is to disallow DOCTYPE declaration. However if it is required disabling external general entities and external parameter entities will not trick the underlying SAX parser to XXE injection.

public class MyDocumentBuilderFactory{

    public static DocumentBuilderFactory newDocumentBuilderFactory(){

        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();

        try{

            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities",false);
            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities",false);

        }catch(ParserConfigurationException exp){
            exp.printStackTrace();
        }

        return documentBuilderFactory;
    }
}
dtrunk
  • 4,685
  • 17
  • 65
  • 109
Keerthikanth Chowdary
  • 728
  • 1
  • 10
  • 17
  • the advice works, though I think it's important to reference OWASP recommendations as it contains some more info https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#java – astafev.evgeny Apr 11 '19 at 05:15