Does setting FEATURE_SECURE_PROCESSING in transformerFactory update other security features as well?

Karthick M Mayan picture Karthick M Mayan · Apr 28, 2015 · Viewed 7.7k times · Source

In jdk1.6, while I am setting

transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false)

I am facing the following error:

javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory. at org.apache.xalan.processor.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:418)

As with what I found in here : How to prevent xalan.jar that has META-INF\services\javax.xml.transform.TransformerFactory from taking over JDK 1.6 built in Xalan implementation? I cant make the changes suggested here as there will other API conflicts as reviewed by my admin.

And as per this link : http://xml.apache.org/xalan-j/features.html#domsource You can use the TransformerFactory.setFeature(String, boolean) method to set the value of a feature. Xalan-Java only supports setting of the XMLConstants.FEATURE_SECURE_PROCESSING feature. For all other features, TransformerFactory exposes their values, but cannot change their states.

So it seems we can set only this feature if xalan implementation of TransormerFactory is used.

transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Finally my Question: if we set feature:

transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Then is the other feature (XMLConstants.ACCESS_EXTERNAL_DTD) automatically set to false.
I got the above feature as "false" from the logs I set. But I want to know for sure if the accessExternalDTD feature will be set to false by default or if the secure-processing feature is set to true.

Answer

JuanMoreno picture JuanMoreno · Jul 25, 2019

In Java 8 yes. If we set

TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Then the attributes ACCESS_EXTERNAL_DTD, ACCESS_EXTERNAL_STYLESHEET are setting to "" like the owasp guide recommends.

We can verify it with:

Object hasExternalDtd=factory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD);
Object hasExternalStyle=factory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET);

after setting the FEATURE_SECURE_PROCESSING feature.

The default value if we don't set it is all for both properties.