如何使 Sonar 与 XMLInputFactory 和 woodstox 库注册实现兼容?
How to be Sonar compliant with the XMLInputFactory and woodstox library registered implementation?
我正在努力遵守以下 Sonar 拦截器规则:
XML parsers should not be vulnerable to XXE attacks (java:S2755)
XML specification allows the use of entities that can be internal or
external (file system / network access ...) which could lead to
vulnerabilities such as confidential file disclosures or SSRFs.
在 Sonar 规则描述中,他们给出了如何遵守的示例:
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant
我的问题是,在应用程序的类路径中,有 2 个库 woodstox-core-asl 和 wstx-asl 在 /META-INF/services/javax.[=31= 中注册了它们自己的实现 com.ctc.wstx.stax.WstxInputFactory ].此实现 com.ctc.wstx.stax.WstxInputFactory 不支持 accessExternalDTD,因此失败并显示以下错误消息:
Unrecognized property
'http://javax.xml.XMLConstants/property/accessExternalDTD'
我尝试直接执行 new com.sun.xml.internal.stream.XMLInputFactoryImpl() 或 Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance() 成功,但它只是摆脱了对另一个的警告,即关于受限 API 的那个。
有好的解决办法吗?
下面是一个最小的可重现示例,其中的解决方法作为注释行:
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import javax.xml.XMLConstants;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.util.StreamReaderDelegate;
public class XMLReader extends StreamReaderDelegate implements AutoCloseable {
private final Reader reader;
public XMLReader(Reader reader) throws XMLStreamException, InstantiationException, IllegalAccessException, ClassNotFoundException {
this.reader = reader;
//XMLInputFactory factory = (XMLInputFactory) Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
setParent(factory.createXMLStreamReader(reader));
}
@Override
public void close() throws XMLStreamException {
try {
super.close();
reader.close();
} catch (IOException e) {
throw new XMLStreamException(e.getMessage(), e);
}
}
public static void main(String[] args) throws XMLStreamException, InstantiationException, IllegalAccessException, ClassNotFoundException {
try (XMLReader xmlReader = new XMLReader(new StringReader("</test>"))) {
}
}
}
您还可以在下面的 Maven POM 文件中找到依赖项:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>test-xml</groupId>
<artifactId>test-xml</artifactId>
<version>0.0.1-SNAPSHOT</version>
<build>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>wstx-asl</artifactId>
<version>3.2.8</version>
</dependency>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>woodstox-core-asl</artifactId>
<version>4.4.1</version>
</dependency>
</dependencies>
</project>
显然,即使它不在规则描述中,Sonar 也可以识别 属性 XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,这是执行相同操作的 Stax 标准 属性:
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
false);
另请参阅:
我正在努力遵守以下 Sonar 拦截器规则:
XML parsers should not be vulnerable to XXE attacks (java:S2755)
XML specification allows the use of entities that can be internal or external (file system / network access ...) which could lead to vulnerabilities such as confidential file disclosures or SSRFs.
在 Sonar 规则描述中,他们给出了如何遵守的示例:
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant
我的问题是,在应用程序的类路径中,有 2 个库 woodstox-core-asl 和 wstx-asl 在 /META-INF/services/javax.[=31= 中注册了它们自己的实现 com.ctc.wstx.stax.WstxInputFactory ].此实现 com.ctc.wstx.stax.WstxInputFactory 不支持 accessExternalDTD,因此失败并显示以下错误消息:
Unrecognized property 'http://javax.xml.XMLConstants/property/accessExternalDTD'
我尝试直接执行 new com.sun.xml.internal.stream.XMLInputFactoryImpl() 或 Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance() 成功,但它只是摆脱了对另一个的警告,即关于受限 API 的那个。
有好的解决办法吗?
下面是一个最小的可重现示例,其中的解决方法作为注释行:
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import javax.xml.XMLConstants;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.util.StreamReaderDelegate;
public class XMLReader extends StreamReaderDelegate implements AutoCloseable {
private final Reader reader;
public XMLReader(Reader reader) throws XMLStreamException, InstantiationException, IllegalAccessException, ClassNotFoundException {
this.reader = reader;
//XMLInputFactory factory = (XMLInputFactory) Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
setParent(factory.createXMLStreamReader(reader));
}
@Override
public void close() throws XMLStreamException {
try {
super.close();
reader.close();
} catch (IOException e) {
throw new XMLStreamException(e.getMessage(), e);
}
}
public static void main(String[] args) throws XMLStreamException, InstantiationException, IllegalAccessException, ClassNotFoundException {
try (XMLReader xmlReader = new XMLReader(new StringReader("</test>"))) {
}
}
}
您还可以在下面的 Maven POM 文件中找到依赖项:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>test-xml</groupId>
<artifactId>test-xml</artifactId>
<version>0.0.1-SNAPSHOT</version>
<build>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>wstx-asl</artifactId>
<version>3.2.8</version>
</dependency>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>woodstox-core-asl</artifactId>
<version>4.4.1</version>
</dependency>
</dependencies>
</project>
显然,即使它不在规则描述中,Sonar 也可以识别 属性 XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,这是执行相同操作的 Stax 标准 属性:
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
另请参阅: