如何防止XML注入像XML Bomb和XXE攻擊

Question

我正在開發一個Android應用程序

android:minSdkVersion="14"

在這個需要解析xml的應用程序中。因為我正在使用像這樣的DOM解析器

DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder dBuilder = null;
Document doc = null;
try {      
    dBuilder = dbFactory.newDocumentBuilder();
} catch (ParserConfigurationException e) {
    e.printStackTrace();
}

但是當檢查代碼的安全性時，我遇到了兩個安全問題

dBuilder = dbFactory.newDocumentBuilder(); ， 哪個是

1.XML實體擴展注入（XML Bomb）

2.XML外部實體注入（XXE攻擊）

經過一些研究，我添加了行dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

但是現在我執行此行時會遇到異常

javax.xml.parsers.ParserConfigurationException: http://javax.xml.XMLConstants/feature/secure-processing

有誰能夠幫助我？

Answer 1

您是否嘗試過OWASP頁面中的以下片段？

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
...

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
try {
  // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
  // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
  String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
  dbf.setFeature(FEATURE, true);

  // If you can't completely disable DTDs, then at least do the following:
  // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
  // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
  FEATURE = "http://xml.org/sax/features/external-general-entities";
  dbf.setFeature(FEATURE, false);

  // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
  // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
  FEATURE = "http://xml.org/sax/features/external-parameter-entities";
  dbf.setFeature(FEATURE, false);

  // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" (see reference below)
  dbf.setXIncludeAware(false);
  dbf.setExpandEntityReferences(false);

  // And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then 
  // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks
  // (http://cwe.mitre.org/data/definitions/918.html) and denial 
  // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."

  // remaining parser logic
  ...

    catch (ParserConfigurationException e) {
        // This should catch a failed setFeature feature
        logger.info("ParserConfigurationException was thrown. The feature '" +
                    FEATURE +
                    "' is probably not supported by your XML processor.");
        ...
    }
    catch (SAXException e) {
        // On Apache, this should be thrown when disallowing DOCTYPE
        logger.warning("A DOCTYPE was passed into the XML document");
        ...
    }
    catch (IOException e) {
        // XXE that points to a file that doesn't exist
        logger.error("IOException occurred, XXE may still possible: " + e.getMessage());
        ...
    }

Answer 2

String jaxbContext =“com.fnf.dfbatch.jaxb”;

    JAXBContext jc = null;
    Unmarshaller u = null;
    String FEATURE_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
    String FEATURE_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
    try {
        jc = JAXBContext.newInstance(jaxbContext);
        u = jc.createUnmarshaller();
        /*jobsDef = (BatchJobs) u.unmarshal(DfBatchDriver.class
                .getClassLoader().getResourceAsStream(
                        DfJobManager.configFile));*/

        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();          
        dbf.setFeature(FEATURE_GENERAL_ENTITIES, false);            
        dbf.setFeature(FEATURE_PARAMETER_ENTITIES, false);      
        dbf.setXIncludeAware(false);
        dbf.setExpandEntityReferences(false);
        DocumentBuilder db = dbf.newDocumentBuilder();
        Document document = db.parse(DfBatchDriver.class
                .getClassLoader().getResourceAsStream(
                        DfJobManager.configFile));
        jobsDef = (BatchJobs) u.unmarshal(document);