Support #2457
closedSet external-parameter-entities via ProfessionalTransformerFactory.setAttribute to avoid XXE vulnerability
0%
Description
The external entities are being resolved even after setting parser features (via the below java code) to not to resolve external entities. In the below example, the /tmp/abc is resolved to the actual entities. Is there a sample java code for disabling the external entities to avoid the XXE vulnerability. We are using Saxon-9.6.0.7 PE version.
Java Code:
factory.setAttribute("http://saxon.sf.net/feature/parserFeature?uri=http%3A//xml.org/sax/features/external-parameter-entities=",true);
Xslt:
]><xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="/">
&inc;
</xsl:template>
</xsl:stylesheet>
Updated by Mariusz B about 9 years ago
Hi,
According to http://www.saxonica.com/html/documentation/javadoc/net/sf/saxon/lib/FeatureKeys.html#XML_PARSER_FEATURE and http://docstore.mik.ua/orelly/xml/xmlnut/ch25_03.htm you should set value to false in following way:
factory.setAttribute("http://saxon.sf.net/feature/parserFeature?uri=http://xml.org/sax/features/external-parameter-entities", false);
Hope that helps.
Updated by Michael Kay about 9 years ago
Several points:
Firstly, I think the parser property you want to set is external-general-entities, not external-parameter-entities.
Secondly, the Saxon documentation is a little bit misleading. The property name that you pass to factory.setAttribute() should not contain the final "=" sign. But the colon should (I think) be escaped as %3A.
Finally, setting this property only affects settings on an XML parser that Saxon creates. It has no effect if your application creates the XML parser (that is, if the input is supplied to Saxon as a SAXSource object).
Updated by Rampradeep K about 9 years ago
Thanks Michael and Maurisz. We are not using the xml parser that Saxon creates. The question is how to instruct the SaxonTransformerFactory.newTemplates(Source source) to not to resolve any external entities? The stylesheet is passed as a StreamSource to the newTemplates method.
Updated by Rampradeep K about 9 years ago
By the way, I was able to disallow external functions via setAttribute for the same application.
factory.setAttribute("http://saxon.sf.net/feature/allow-external-functions", false);
Updated by Michael Kay about 9 years ago
If you want detailed control over parsing, the best way is to create an XMLReader yourself and supply it to Saxon within a SAXSource object.
Updated by Rampradeep K about 9 years ago
I was able to get this working by implementing a XMLReader and passing it to Saxon. Will run some more tests and confirm the behavior.
Updated by Michael Kay almost 9 years ago
- Status changed from New to Resolved
- Assignee set to Michael Kay
Closing as the problem appears to be resolved.
Updated by O'Neil Delpratt almost 9 years ago
- Status changed from Resolved to Closed
Closing this one with no action
Please register to edit this issue