Hello,
We recently did some testing to verify the proper way of disabling
external entity resolution, as a security recommendation.
Through some unit testing, we came up with a couple findings which I
wanted to verify were intended functionality:
* Not validating XML did not stop XXE attacks in the JAXP
and StAX implementation; It expanded external entities.
* .setExpandEntityReferences(false) also did not stop XXE
attacks in the JAXP implementation; It also expanded external entity
references.
Should this be the case, or should those settings disable the
resolution? I've included some more details of our test results below.
We're willing to contribute the test cases if that's at all useful.
Thanks,
Dan
Tested Xerces 2.10.0 and 1.4.4
DocumentBuilderFactory (JAXP)
Implementation
Stop XXE?
.setValidating(false);
Xerces 1 or Xerces 2
NO
.setExpandEntityReferences(false)
Xerces 1 or Xerces 2
NO
.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true)
;
Xerces 2 Only
YES!
Both
.setFeature("http://xml.org/sax/features/external-general-entities";,
false); and
.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
Xerces 1 and Xerces 2
YES!
SAXParserFactory (JAXP)
Implementation
Stop XXE?
.setValidating(false);
Xerces 1 or Xerces 2
NO
.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true)
;
Xerces 2 Only
YES!
Both
.setFeature("http://xml.org/sax/features/external-general-entities";,
false); and
.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
Xerces 1 and Xerces 2
YES!
XMLInputFactory (StAX)
Implementation (Did not test on Xerces 1)
Stop XXE?
.setProperty("javax.xml.stream.isValidating", false);
Xerces 2
NO
.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
Xerces 2
YES!
