Veracode XML External Entity Reference (XXE) unmarshaling org.w3c.dom.Element

Question

I am getting an XML External Entity Reference (XXE) vulnerability from the code scan audit(Veracode) while unmarshaling an Element.

    public static <T> T unMarshal(org.w3c.dom.Element content, Class<T> clazz) throws JAXBException {
    JAXBContext jaxbContext = JAXBContext.newInstance(clazz);
    Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
    return (T) unmarshaller.unmarshal(content, clazz).getValue();
}

How can I fix Improper Restriction of XML External Entity Reference ('XXE') in the above code ?

How can I fix Improper Restriction of XML External Entity Reference ('XXE') in the above code ? — siddharthdg, Oct 16 '17 at 16:21
I think this one was also posted here: https://stackoverflow.com/questions/12977299/prevent-xxe-attack-with-jaxb — tr4nc3, May 31 '18 at 21:55
Possible duplicate of [Prevent XXE Attack with JAXB](https://stackoverflow.com/questions/12977299/prevent-xxe-attack-with-jaxb) — Urosh T., Sep 25 '19 at 18:51

score 3 · Accepted Answer · answered Oct 24 '19 at 14:31

According to your example you can try this code:

public static <T> T unMarshal(org.w3c.dom.Element content, Class<T> clazz) throws JAXBException, XMLStreamException {
  JAXBContext jaxbContext = JAXBContext.newInstance(clazz);
  Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();

  XMLInputFactory xmlif = XMLInputFactory.newFactory();
  xmlif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
  xmlif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
  XMLStreamReader xsr = xmlif.createXMLStreamReader(content);

  return (T) unmarshaller.unmarshal(xsr, clazz).getValue();
}

I think that above solution can resolves an issue related to (CWE 611) XML External Entity Reference

Veracode XML External Entity Reference (XXE) unmarshaling org.w3c.dom.Element

1 Answers1