Preventing XXE (External XML Entity) Injection with Xerces 2

Question

I am trying to implement a XML validation which should prevent XXE Injection. The code as shown on the OWASP-Page works perfectly with a native JDK8.

    SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
    Schema schema = schemaFactory.newSchema(fSchema);
    Validator validator = schema.newValidator();

    validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

    validator.validate(new StreamSource(fXml));

The problem is that i am using this code on a Wildfly10 where Xerces2 is used internally (xercesImpl-2.11.0.SP4) and where the needed XMLConstants are not recognized.

Exception in thread "main" org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.

The Problem is simple reproducible in a unit test with the given Maven dependency

<!-- https://mvnrepository.com/artifact/xerces/xercesImpl -->
<dependency>
    <groupId>xerces</groupId>
    <artifactId>xercesImpl</artifactId>
    <version>2.11.0.SP4</version>
</dependency>

Although it is possible to deactivate Xerces2 on Wildfly10 with the argument

-jaxpmodule "javax.xml.jaxp-provider"

this is not what I want to do.

Does somebody know how to configure Xerxces2 properly to prevent XXE Injection...

Answer 1

To avoid the XXE (External XML entity) Injection in fortify:

Set below line of code in your logical part to avoid XXE Injection.

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);