I have been given to understand that XInclude
is a potential vulnerability when receiving XML from untrusted sources. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
The XML which I expect from external sources is quite simple and there is never any requirement for including external XML.
I have tried the following to disable XInclude (as recommended in the Cheat Sheet):
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
and used this XML to test
<?xml version="1.0" encoding="utf-8"?>
<data xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include href="file://d/temp/badxml.xml" parse="xml">
</xi:include>
</data>
The external file contains invalid XML.
I had expected that the parser would fail if setXIncludeAware
is set to true
but this is not the case. The snippet is always parseable. I am using Java 8.
Is this a valid test? Is this the correct way to avoid XInclude attacks?
This is the correct way to avoid XInclude and entity attacks, but that is not a valid test for XInclude attacks, as you have discovered.
According to this answer , "XInclude support relies on namespace support, which is turned off by default for backward compatibility reasons". So call dbf.setNamespaceAware(true);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.