使用 XStream 防止 XXE 攻击

Prevent XXE Attack with XStream

想知道我们如何修复 Xml 外部实体 (XXE) 漏洞 Xstream API。

我们可以做到

// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);

与 DocumentBuilderFactory。更多详情 - https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet

我的代码类似于 -

public static Class<?>[] myAnnotatedClasses = { Test1.class, Test2.class };

public static Object parseStr(String str) throws XStreamException
{
    XStream xstream = new XStream(new StaxDriver());
    xstream.processAnnotations(myAnnotatedClasses);
    Object obj =xstream.fromXML(str);
    return obj;
}

根据 XStream FAQs:

StaxDriver tries to turns off support for external entities for the standard StaX parser. However, the finally used StAX implementation is defined externally (see JDK documentation) and a test should be made on the target platform to ensure that the parser respects the setting.

这就是说 StaxDriver 试图告诉 StAX 实现做正确的事情,但是您正在使用的 StAX 实现可能会忽略这一点。如果它确实忽略了它,简单的答案是使用常见问题解答中列出的没有问题的替代驱动程序之一。