Checkmarx 报告中出现 XMLStreamReader / InputStream xxe 漏洞
XMLStreamReader / InputStream xxe vulnerability showing up in Checkmarx report
这些代码行导致 xxe 漏洞出现在 Checkmarx 报告中:
InputStream is = connection.getInputStream();
XMLInputFactory factory = XMLInputFactory.newInstance();
XMLStreamReader reader = factory.createXMLStreamReader(is);
问题指出:
"The application sends a request to a remote server, for some resource, using createXMLStreamReader. However, an attacker can control the target of the request, by sending a URL or other data in getInputStream."
有什么解决办法吗?
找到适合我的答案here;将这些属性添加到 XMLInputFactory:
XMLInputFactory xif = XMLInputFactory.newFactory();
//prevents using external resources when parsing xml
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
//prevents using external document type definition when parsing xml
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
这些代码行导致 xxe 漏洞出现在 Checkmarx 报告中:
InputStream is = connection.getInputStream();
XMLInputFactory factory = XMLInputFactory.newInstance();
XMLStreamReader reader = factory.createXMLStreamReader(is);
问题指出:
"The application sends a request to a remote server, for some resource, using createXMLStreamReader. However, an attacker can control the target of the request, by sending a URL or other data in getInputStream."
有什么解决办法吗?
找到适合我的答案here;将这些属性添加到 XMLInputFactory:
XMLInputFactory xif = XMLInputFactory.newFactory();
//prevents using external resources when parsing xml
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
//prevents using external document type definition when parsing xml
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);