Fortify fix for XML External Entity Injection

java fortify xxe
veera picture veera · Jul 7, 2016 · Viewed 18.1k times · Source

When I do scan using fortify tool, I got some issues under "XML External Entity Injection". 

TransformerFactory trfactory = TransformerFactory.newInstance();

This is the place where it is showing error. I have given the below fix as suggested by fortify 

trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false); 
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

but still the issues are not fixed. How to fix this issue?

Answer

Kondal Kolipaka picture Kondal Kolipaka · Aug 4, 2017 
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

This would be sufficient.

Related questions

How to Prevent XML External Entity Injection on TransformerFactory

My problem: Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack. TransformerFactory factory = TransformerFactory.newInstance(); StreamSource xslStream = new StreamSource(inputXSL); Transformer transformer = factory.newTransformer(xslStream); Solution I have tried: Setting TransformerFactory feature for XMLConstants.FEATURE_SECURE_PROCESSING …

Read More
log forging fortify fix

I am using Fortify SCA to find the security issues in my application (as a university homework). I have encountered some 'Log Forging' issues which I am not able to get rid off. Basically, I log some values that come …

Read More
Can't resolve Log Forging Fortify issue

I am having trouble fixing a Log Forging issue in Fortify. The issue, "writes unvalidated user input to the log", is being raised from both of the logging calls in the getLongFromTimestamp() method. public long getLongFromTimestamp(final String value) { LOGGER.…

Read More