当前位置:   article > 正文

关于XML解析存在的安全问题指引_java xml解析安全问题

java xml解析安全问题

最近一段时间被曝出的微信支付的XML解析存在的安全问题,主要问题是XML外部实体注入漏洞(XML External Entity Injection,简称 XXE),该安全问题是由XML组件默认没有禁用外部实体引用导致,非微信支付系统存在漏洞。微信官方做了回应,原文地址:https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5
如果你在使用支付业务回调通知中,存在以下场景有使用XML解析的情况,需要检查是否对进行了防范。

  • 场景1:支付成功通知
  • 场景2:退款成功通知
  • 场景3:委托代扣签约、解约、扣款通知
  • 场景4:车主解约通知
    场景5:扫码支付模式一回调

微信官方的SDK已经升级,其中相关代码做了防范,如下:

package com.github.wxpay.sdk;

import org.w3c.dom.Document;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;

/**
 * 2018/7/3
 */
public final class WXPayXmlUtil {
    public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
        documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        documentBuilderFactory.setXIncludeAware(false);
        documentBuilderFactory.setExpandEntityReferences(false);

        return documentBuilderFactory.newDocumentBuilder();
    }

    public static Document newDocument() throws ParserConfigurationException {
        return newDocumentBuilder().newDocument();
    }
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30

如果您不是使用官方的SDK,而是自己解析的,可以参考下面的代码:

package com.jianggujin.magicpay.util;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.TransformerFactory;

import org.w3c.dom.Document;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;

/**
 * XML工具
 * 
 * @author jianggujin
 *
 */
public class JXMLUtils {
   private final static String FRATURE_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
   private final static String FRATURE_EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
   private final static String FRATURE_EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
   private final static String FRATURE_LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";

   public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
      DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
      documentBuilderFactory.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
      documentBuilderFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
      documentBuilderFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
      documentBuilderFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
      // documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
      // true);
      documentBuilderFactory.setXIncludeAware(false);
      documentBuilderFactory.setExpandEntityReferences(false);
      return documentBuilderFactory.newDocumentBuilder();
   }

   public static Document newDocument() throws ParserConfigurationException {
      return newDocumentBuilder().newDocument();
   }

   public static SAXParserFactory newSAXParserFactory() throws ParserConfigurationException, SAXException {
      SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
      saxParserFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
      saxParserFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
      saxParserFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
      return saxParserFactory;
   }

   public static SAXParser newSAXParser() throws ParserConfigurationException, SAXException {
      return newSAXParserFactory().newSAXParser();
   }

   public static XMLReader newXMLReader() throws SAXException {
      XMLReader reader = XMLReaderFactory.createXMLReader();
      reader.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
      // This may not be strictly required as DTDs shouldn't be allowed at all,
      // per previous line.
      reader.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
      reader.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
      reader.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
      return reader;
   }

   public static TransformerFactory newTransformerFactory() {
      TransformerFactory transformerFactory = TransformerFactory.newInstance();
      transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
      transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
      return transformerFactory;
   }

   public static XMLInputFactory newXMLInputFactory() {
      XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
      // This disables DTDs entirely for that factory
      xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
      // disable external entities
      xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
      return xmlInputFactory;
   }
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84

dom4j

saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
  • 1
  • 2
  • 3

jdom

SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Document doc = builder.build(new File(fileName));
  • 1
  • 2
  • 3
  • 4
  • 5

更多解决方案请参考:https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/寸_铁/article/detail/827693
推荐阅读
相关标签
  

闽ICP备14008679号