I'm protecting software from XML expansion attacks and I want to run a file stored as a byte array through an XMLReader to test for expansion loops. Is it safe to simply create a string from the byte array or is this opening my software to a whole new area of possible exploits?
String xml = new String ( myByteArray );
Thanks to all who commented.
As Raedwald pointed out it is not necessarily a security concern but data may be lost when converting byte[] to String.
I have found this method to work and it seems to be secure. With this code a SAXParseException will be thrown at 100,000 expansions. This limit can be reduced with security manager or setting the system property or at runtime using -DentityExpansionLimit=|number|
InputStream textReader = new ByteArrayInputStream ( myByteArray);
SAXParserFactory parserFactory = SAXParserFactory.newInstance();
try {
XMLReader reader = parserFactory.newSAXParser().getXMLReader();
reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
InputSource inputSource = new InputSource( textReader );
reader.parse(inputSource);
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.