赞
踩
最近一段时间被曝出的微信支付的XML解析存在的安全问题,主要问题是XML外部实体注入漏洞(XML External Entity Injection,简称 XXE),该安全问题是由XML组件默认没有禁用外部实体引用导致,非微信支付系统存在漏洞。微信官方做了回应,原文地址:https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5
如果你在使用支付业务回调通知中,存在以下场景有使用XML解析的情况,需要检查是否对进行了防范。
微信官方的SDK已经升级,其中相关代码做了防范,如下:
package com.github.wxpay.sdk;
import org.w3c.dom.Document;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
/**
* 2018/7/3
*/
public final class WXPayXmlUtil {
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);
return documentBuilderFactory.newDocumentBuilder();
}
public static Document newDocument() throws ParserConfigurationException {
return newDocumentBuilder().newDocument();
}
}
如果您不是使用官方的SDK,而是自己解析的,可以参考下面的代码:
package com.jianggujin.magicpay.util;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.TransformerFactory;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;
/**
* XML工具
*
* @author jianggujin
*
*/
public class JXMLUtils {
private final static String FRATURE_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
private final static String FRATURE_EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
private final static String FRATURE_EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
private final static String FRATURE_LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
documentBuilderFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
documentBuilderFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
documentBuilderFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
// documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
// true);
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);
return documentBuilderFactory.newDocumentBuilder();
}
public static Document newDocument() throws ParserConfigurationException {
return newDocumentBuilder().newDocument();
}
public static SAXParserFactory newSAXParserFactory() throws ParserConfigurationException, SAXException {
SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
saxParserFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
saxParserFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
saxParserFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
return saxParserFactory;
}
public static SAXParser newSAXParser() throws ParserConfigurationException, SAXException {
return newSAXParserFactory().newSAXParser();
}
public static XMLReader newXMLReader() throws SAXException {
XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
// This may not be strictly required as DTDs shouldn't be allowed at all,
// per previous line.
reader.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
reader.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
reader.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
return reader;
}
public static TransformerFactory newTransformerFactory() {
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return transformerFactory;
}
public static XMLInputFactory newXMLInputFactory() {
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
// This disables DTDs entirely for that factory
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// disable external entities
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
return xmlInputFactory;
}
}
dom4j
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
jdom
SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Document doc = builder.build(new File(fileName));
更多解决方案请参考:https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。