2

I'm having a very similar issue to this post - Java and Xerces: can't find property XMLConstants.ACCESS_EXTERNAL_DTD - but with working on Android Studio IDE.

I'm also trying to fix the same issue about disabling XML external entity (XXE) processing that gets raised as a vulnerability in our SonarCloud analysis (see: https://sonarcloud.io/project/issues?id=org.digitalcampus.mobile.learning&open=AW3ezGnx-dJmagWAiKPH&resolved=false&types=VULNERABILITY).

As far as I can tell, I have the most recent version of Android Studio installed, along with the all recent updates for Java, my Android Studio about dialog shows this:

Android Studio 3.5.3
Build #AI-191.8026.42.35.6010548, built on November 15, 2019
JRE: 1.8.0_202-release-1483-b49-5587405 amd64
JVM: OpenJDK 64-Bit Server VM by JetBrains s.r.o
Linux 4.15.0-76-generic

I'd really appreciate any feedback/help on how I can resolve this, so I can remove the vulnerability from my code. Just let me know if there is any other specific information (versions etc) that you may need.

Thanks in advance for you help...

Update (14/2/20)... Looks like the ACCESS_EXTERNAL_DTD constant is not available in Android - see the Android java reference docs: https://developer.android.com/reference/javax/xml/XMLConstants.html.

So would the FEATURE_SECURE_PROCESSING constant be sufficient?

Alex Little
  • 502
  • 6
  • 21

1 Answers1

3

you can use the below code to solve your issue, check the XML External Entity Prevention Cheat Sheet for more details

 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    String FEATURE = null;
    try {

        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        dbf.setXIncludeAware(false);
        dbf.setExpandEntityReferences(false);


    } catch (ParserConfigurationException e) {
        // This should catch a failed setFeature feature


    } catch (SAXException e) {
        // On Apache, this should be thrown when disallowing DOCTYPE

    } catch (IOException e) {
        // XXE that points to a file that doesn't exist

    }

// Load XML file or stream using a XXE agnostic configured parser...
        DocumentBuilder safebuilder = dbf.newDocumentBuilder();

if this was helpful, please mark this as the answer.

Chamlal
  • 156
  • 1
  • 5
  • just what I needed... it's now no longer showing as a vulnerability (on the instance I've tested on anyway). I did get the message that the SAXException and IOException aren't thrown in that particular try block, so I didn't need to include these catches. – Alex Little Feb 17 '20 at 11:38