1

For xsl Transformation I am using this interface: javax.xml.transform.Transformer The implementation is saxon.jaxp.TransformerImpl

I need to make this Transformer safe for XML External Entity (XXE) Attacks. Right now if there is an external entity it gets called and could be used for denial of Service Attack.

Is there a way to configure the Transformer ? I know how to do it with the saxon Parser but I only have the Transformer class and I do not know how to get the Parser out from it.

Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
Toni26
  • 489
  • 4
  • 11
  • https://stackoverflow.com/a/45503716/14419 – Mads Hansen Feb 27 '22 at 11:48
  • Thanks a lot . Sounds quite reasonable. But in my case unfortunately I get this error: Selected XML parser org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser does not recognize the property http://javax.xml.XMLConstants/property/accessExternalDTD Error Error reported by XML parser processing null: URI scheme 'http' has been disallowed. Caused by org.xml.sax.SAXException: URI scheme 'http' has been disallowed – Toni26 Feb 27 '22 at 13:20

1 Answers1

1

First (and sorry this is a bit cynical) you need to decide whether you are trying to protect against attacks, or whether you are trying to get past the security checks performed by some scanning tool. These aren't the same thing.

Assuming you are genuinely trying to protect against attacks, the first thing is to decide whether the stylesheet author is trusted.

If you're running untrusted stylesheets then you need to be very careful indeed; in particular, don't obsess about XML entity attacks because there are plenty of other ways an untrusted stylesheet can access data on your machine or go into an infinite loop.

If you're running trusted stylesheets (but against untrusted XML documents) then things are much easier: and the simplest way of doing it is to take control of all XML parsing yourself by supplying a URIResolver. Then you only need to worry about how to configure the parser to be secure, rather than trying to control it indirectly via the XSLT engine.

Michael Kay
  • 156,231
  • 11
  • 92
  • 164
  • I tried if it makes difference regarding my problem . transformerFactory.setURIResolver(..) . But when I debugged it never accessed the code of UriResolver. So my problem ist still there – Toni26 Feb 27 '22 at 23:24
  • The URIResolver set on the transformerFactory is used for accessing stylesheets, not for accessing source documents. For that you need to set a URIResolver on the Transformer. – Michael Kay Feb 28 '22 at 08:16