如何从XML外部攻击中保护javax.xml.transform.TransformerFactor

@Test
public void test() throws TransformerException,URISyntaxException {
  File testFile = new File(getClass().getResource("test.txt").toURI());
  assertTrue(testFile.exists());
  String fileData = "<!DOCTYPE acunetix [  <!ENTITY foo SYSTEM "file://" + 
                    testFile.toString() +
                    "">]><xxe>&foo;</xxe>";
  TransformerFactory transformerFactory = TransformerFactory.newInstance();
  System.out.println(transformerFactory.getClass().getName());
  transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,true);
  Transformer transformer = transformerFactory.newTransformer();
  StringWriter buff = new StringWriter();
  transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,"yes");
  transformer.transform(new StreamSource(new StringReader(fileData)),new StreamResult(buff));
  assertEquals("<xxe>&foo;</xxe>",buff.toString());
}

我得到以下输出：

com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
[Fatal Error] :1:182: External Entity: Failed to read external document 'test.txt',because 'file' access is not allowed due to restriction set by the accessExternalDTD property.
ERROR:  'External Entity: Failed to read external document 'test.txt',because 'file' access is not allowed due to restriction set by the accessExternalDTD property.'

从setFeature JavaDocs：

All implementations are required to support the XMLConstants.FEATURE_SECURE_PROCESSING feature. When the feature is:

• true: the implementation will limit XML processing to conform to implementation limits and behave in a secure fashion as defined by the implementation. Examples include resolving user defined style sheets and functions. If XML processing is limited for security reasons,it will be reported via a call to the registered ErrorListener.fatalError(TransformerException exception). See setErrorListener(ErrorListener listener).

如果我注释掉transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,true),那个错误就会消失;然后测试失败,因为实体已解决.

尝试将ErrorListener添加到TransformerFactory和Transformer：

transformerFactory.setErrorListener(new ErrorListener() {

  @Override
  public void warning(TransformerException exception) throws TransformerException {
    System.out.println("In Warning: " + exception.toString());
  }

  @Override
  public void error(TransformerException exception) throws TransformerException {
    System.out.println("In Error: " + exception.toString());
  }

  @Override
  public void fatalError(TransformerException exception) throws TransformerException {
    System.out.println("In Fatal: " + exception.toString());
  }
});

Transformer transformer = transformerFactory.newTransformer();
transformer.setErrorListener(transformerFactory.getErrorListener());

我现在看到以下新的控制台输出：

In Error: javax.xml.transform.TransformerException: External Entity: Failed to read external document 'test.txt',because 'file' access is not allowed due to restriction set by the accessExternalDTD property.

也许您的实施将其视为警告？否则,也许这是你正在使用的实现？看起来JavaDoc规范并不精确,因此一个实现可能会做一些与另一个不同的实现.我有兴趣知道错误的实现！