• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

How disabled all XXE for all parser  RSS feed

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello all,

according this article:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

I search a mean to disable all XXE functionalities for all parser without acting on each instantiation...

I have tried to define a jaxp.properties in under $JAVA_HOME/lib/jaxp.properties:

javax.xml.accessExternalStylesheet=""
javax.xml.accessExternalDTD=""
javax.xml.accessExternalSchema=""

it works correctly for DocumentBuilderFactory. I'm not sure for DocumentBuilderFactory, SAXParserFactory and DOM4J,  XPathFactory, TransformerFactory, SAXTransformerFactory ... all possible


Do you have an idea ?

Great thank & best regards.

Adrien
 
Sheriff
Posts: 5124
138
Chrome Eclipse IDE Java Postgres Database VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The link above can be seen here.
 
ridaen fiefur
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
no sorry it's the same link that I gave above, it's doesn't take all XML libraries in account.
 
Sheriff
Posts: 23713
50
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's true, XML libraries which aren't based on JAXP probably aren't going to pay attention to the jaxp.properties file. But finding an equivalent mechanism for every other XML library out there could be somebody's summer project.

However if you had one particular XML library about which you wanted to ask the question, that would be a more answerable post.
 
ridaen fiefur
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank Paul, That's what I thought.
but I don't try to make a project, because I for the end of the week for my deadline.

however, do you think I need to switch to false the the XML validation content during parse. with isValidating(), for example on SAXParserFactory.
For it doesn't have impact on XXE subject ?

thank again
 
Paul Clapham
Sheriff
Posts: 23713
50
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

ridaen fiefur wrote:however, do you think I need to switch to false the the XML validation content during parse. with isValidating(), for example on SAXParserFactory.
For it doesn't have impact on XXE subject ?



I don't know what you mean to ask here. Originally you were asking about disabling XXE functionality. Now it looks like you're asking about things which aren't related to XXE functionality. I can understand disabling XXE, to avoid various security exploits which are associated with it. But I don't know what security issues would make you turn off validation, or even if there are any, so I have no opinion about whether you should do that or not.
 
ridaen fiefur
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank again Paul,

Yes it's for only XXE in exploitation security.
So I understand that shema xml validation doesn't take in account in XXE, right ? There are different things ?

Yes I think for the moment, don't disable schema, because you really use it in our application
 
Paul Clapham
Sheriff
Posts: 23713
50
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well yes, if you're using schema validation then disabling validation would be a bad idea. But remember that schemas aren't the only way to validate XML. Another validation tool is the DTD, and that's where entities (including external entities) are used. In fact if you read the main OWASP page about XXE processing you'll note that it refers specifically to DTDs and doesn't mention schemas.
 
ridaen fiefur
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your right :-) I will do that. Thank Paul for all !
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!