4

I've been trying to resolve the Veracode "Improper Restriction of XML External Entity Reference" flaw. I looked up the issue online and a found a few suggestions on how to resolve it, namely:

To my dismay, Veracode still reports the flaw and I'm frankly lost on how to proceed. I have Java 8 installed and using JRE 1.8.

Here's a snippet of my code (edited following VGR's suggestion):

InputSource inputSource = new InputSource(reader);
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();

dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

dbFactory.setAttribute(XMLInputFactory.SUPPORT_DTD, false);  
dbFactory.setAttribute(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);

dbFactory.setXIncludeAware(false);
dbFactory.setExpandEntityReferences(false);

DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
org.w3c.dom.Document doc = dBuilder.parse(inputSource);
doc.getDocumentElement().normalize();

catch (IOException e) {
    e.printStackTrace();
} catch (ParserConfigurationException e) {
    e.printStackTrace();
} catch (SAXException e) {
    e.printStackTrace();
}

How to resolve this?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
EH Khiari
  • 335
  • 1
  • 4
  • 12
  • `XMLConstants.FEATURE_SECURE_PROCESSING` is a feature, not an attribute. It should be passed to the `setFeature` method. – VGR Jun 09 '17 at 20:08
  • I tried passing it to the `setFeature` method but that didn't resolve the problem. I added two more features (edited in the post), `SUPPORT_DTD` and `IS_SUPPORTING_EXTERNAL_ENTITIES`. Let me know what you think. Thanks! – EH Khiari Jun 12 '17 at 20:21
  • You may want to read [the documentation](http://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html) for each of those attribute constants. The value for each ACCESS_EXTERNAL_\* attribute is not supposed to be boolean; it’s a string, specifically a comma-separated list of allowed URI protocols, or the empty string to forbid all external accesses. – VGR Jun 12 '17 at 20:35
  • Thank you, I'll have a look at the documentation, With what you say, passing an empty string to forbid all external access should do the trick right? – EH Khiari Jun 13 '17 at 21:50
  • It’s certainly a step in the right direction. – VGR Jun 13 '17 at 21:51
  • Great. I'll try that and let you know what happens :) – EH Khiari Jun 14 '17 at 15:44
  • I did what you suggested but the veracode static scan still reports the same flaw. I'm starting to suspect that the scan isn't even detecting the changes that I'm putting. The line number that it reports (where the flaw allegedly is) never changes despite the changes that I make...am I missing something here? – EH Khiari Jun 15 '17 at 16:32
  • I haven’t used Veracode, but I’ve experienced this frustration with similar security analysis tools that don’t point out what exactly is wrong or missing. Try setting the old feature names, the ones prefaced with ‘Xerces 1’ or ‘Xerces 2’ in the the first link you provide, in addition to the features you are currently setting. They shouldn’t make a difference functionally, but Veracode’s analysis criteria may be out of date and may require them. – VGR Jun 15 '17 at 17:02
  • I believe I tried that before but it didn't work. I'll give it another shot however and let you know what I get. Thanks! – EH Khiari Jun 15 '17 at 20:32
  • I just tried it. Same problem. It still reports the same line number despite making sure I change what's on that line with every scan. This does not make sense. – EH Khiari Jun 15 '17 at 21:23

0 Answers0