How to Prevent XML External Entity Injection on TransformerFactory
My problem:
Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack.
TransformerFactory factory = TransformerFactory.newInstance();
StreamSource xslStream = new StreamSource(inputXSL);
Transformer transformer = factory.newTransformer(xslStream);
Solution I have tried:
Setting TransformerFactory feature for
XMLConstants.FEATURE_SECURE_PROCESSINGto true.Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX parsers. e.g. disallowing doctype declaration, etc. But TransformerFactoryImpl doesn't seem to be accepting anything else that
XMLConstants.FEATURE_SECURE_PROCESSING. Impl Code
Please point me to any resource that you think I might have not gone through or a possible solution to this issue.
Answer
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
I think this would be sufficient.
Fortify would suggest below features but those doesn't work for TransformerFactory
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
We might need to change to a different parser to make use of them.