Project

Profile

Help

Support #2457

closed

Set external-parameter-entities via ProfessionalTransformerFactory.setAttribute to avoid XXE vulnerability

Added by Rampradeep K over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
2015-09-21
Due date:
% Done:

0%

Estimated time:
Legacy ID:
Applies to branch:
Fix Committed on Branch:
Fixed in Maintenance Release:
Platforms:

Description

  The external entities are being resolved even after setting parser features (via the below java code) to not to resolve external entities. In the below example, the /tmp/abc is resolved to the actual entities. Is there a sample java code for disabling the external entities to avoid the XXE vulnerability. We are using Saxon-9.6.0.7 PE version.

Java Code:

factory.setAttribute("http://saxon.sf.net/feature/parserFeature?uri=http%3A//xml.org/sax/features/external-parameter-entities=",true);

Xslt:

]>

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">

<xsl:template match="/">

&inc;

</xsl:template>

</xsl:stylesheet>

Actions #2

Updated by Michael Kay over 8 years ago

Several points:

Firstly, I think the parser property you want to set is external-general-entities, not external-parameter-entities.

Secondly, the Saxon documentation is a little bit misleading. The property name that you pass to factory.setAttribute() should not contain the final "=" sign. But the colon should (I think) be escaped as %3A.

Finally, setting this property only affects settings on an XML parser that Saxon creates. It has no effect if your application creates the XML parser (that is, if the input is supplied to Saxon as a SAXSource object).

Actions #3

Updated by Rampradeep K over 8 years ago

Thanks Michael and Maurisz. We are not using the xml parser that Saxon creates. The question is how to instruct the SaxonTransformerFactory.newTemplates(Source source) to not to resolve any external entities? The stylesheet is passed as a StreamSource to the newTemplates method.

Actions #4

Updated by Rampradeep K over 8 years ago

By the way, I was able to disallow external functions via setAttribute for the same application.

       factory.setAttribute("http://saxon.sf.net/feature/allow-external-functions", false);
Actions #5

Updated by Michael Kay over 8 years ago

If you want detailed control over parsing, the best way is to create an XMLReader yourself and supply it to Saxon within a SAXSource object.

Actions #6

Updated by Rampradeep K over 8 years ago

I was able to get this working by implementing a XMLReader and passing it to Saxon. Will run some more tests and confirm the behavior.

Actions #7

Updated by Michael Kay over 8 years ago

  • Status changed from New to Resolved
  • Assignee set to Michael Kay

Closing as the problem appears to be resolved.

Actions #8

Updated by O'Neil Delpratt over 8 years ago

  • Status changed from Resolved to Closed

Closing this one with no action

Please register to edit this issue

Also available in: Atom PDF