9

When I do scan using fortify tool, I got some issues under "XML External Entity Injection". 

TransformerFactory trfactory = TransformerFactory.newInstance();

This is the place where it is showing error. I have given the below fix as suggested by fortify 

trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false); 
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

but still the issues are not fixed. How to fix this issue?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
veera
  • 317
  • 2
  • 3
  • 14

5 Answers5

4
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

This would be sufficient.

Kondal Kolipaka
  • 3,471
  • 22
  • 28
1

Sometime it will not work if java version is not compatible.

if (javaVersion > 1.6) {
        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      }
else {
        if (javaVersion > 1.5) {
          dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
          dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
        }
else {
          dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
          dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
        }
 }

It worked for me :-)

Prathamesh Ketgale
  • 407
  • 2
  • 8
0

I tried with "Xalan" implementation class instead of TransformerFactory.newInstance().It worked for me and fortify issue got fixed

        TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
        Transformer transformer = transformerFactoryImpl.newTransformer();
veera
  • 317
  • 2
  • 3
  • 14
0

You can also try:

    TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
    Transformer transformer = transformerFactoryImpl.newTransformer();
    transformer.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Ben Wong
  • 1
  • 1
0

Add this line. It worked for me. 

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Maximouse
  • 4,170
  • 1
  • 14
  • 28
Abhishek Das
  • 1