XML External Entity Injection: Hp Fortify issue in java 1.6

Question

I was trying to fix XEE issue and have tried other options but won't work. Would be great if there were any pointers.

Below is my code snippet..

ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
Source xmlSource = new DOMSource(feed);
Result outputTarget = new StreamResult(outputStream);
TransformerFactory.newInstance().newTransformer().transform(xmlSource,outputTarget);
is = new ByteArrayInputStream(outputStream.toByteArray());

Duplicate of https://stackoverflow.com/questions/35479324/prevent-xxe-fortify-issue-for-trasnformerfactory? — Dave Satch, May 07 '19 at 07:17

score 0 · Answer 1 · answered Sep 28 '18 at 11:52

0

Have a look at OWASP XXE Prevention Cheat Sheet

based of what i see in your code, you should modifiy it like this :

ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
Source xmlSource = new DOMSource(feed);
Result outputTarget = new StreamResult(outputStream);

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

tf.newTransformer().transform(xmlSource,outputTarget);
is = new ByteArrayInputStream(outputStream.toByteArray());

answered Sep 28 '18 at 11:52

SPoint

582
2
10

Thank you so much.. let me try this – Thibbesh Gowda Oct 01 '18 at 09:30
This won't work in the version of Java mentioned (1.6) as those constants were not implemented until Java 7. The best solution is to update to a supported version of Java. – Dave Satch May 07 '19 at 07:17

XML External Entity Injection: Hp Fortify issue in java 1.6

1 Answers1