how to Prevent XML Entity Injection with JAXB

Question

I refer Prevent XXE Attack with JAXB this link,

but still kiwan tool showing me very heigh VULNERABILITIES in xif.createXMLStreamReader(soapHeader.getSource()) line, So please help me if anyone know.

My code is below like:

SoapHeader soapHeader = ((SoapMessage) message).getSoapHeader();

 XMLInputFactory xif = XMLInputFactory.newFactory();
 xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,false);
 xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);

XMLStreamReader soapHeaderXsr = xif.createXMLStreamReader(soapHeader.getSource());
unmarshaller.unmarshal(soapHeaderXsr);

Thanks.

You do the right things. I suspect a False Positive from your SAST tool. — SPoint, Nov 21 '19 at 10:02

score 1 · Accepted Answer · answered Nov 22 '19 at 07:42

I resolved this problem by adding extra XMLInputFactory properties which are :-

xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);

The safest way to prevent XXE is always to disable DTDs (External Entities) completely.

Set DTD propertie to false for more information refer this link.

now solve my code vulnerabilites

Thank you

how to Prevent XML Entity Injection with JAXB

1 Answers1