热门标签
热门文章
- 1带你实现java根据表结构动态导入导出Excel_java 根据表结构生产excel模板
- 2一文浅显易懂:Python中shape()和reshape()的用法和区别_cannot reshape array of size 8 into shape (2,2)
- 3数据库表的连接的几种类型_表连接的几种方式
- 4使用TensorFlow 2.x 实现YOLOv5:一个高效且易用的目标检测框架
- 5【项目实战课】大语言模型提示词(Prompt)工程实战
- 6队列详解(C语言实现)_c语言实现队列
- 7鸿蒙OS流转之跨端迁移_鸿蒙跨端迁移
- 8人工智能——DBSCAN密度聚类(1),计算机专业必看_dbsacn算法
- 9智能家居的四种无线技术
- 10Bcrypt算法学习的一些总结_bcrypt是如何匹配
当前位置: article > 正文
关于XML解析存在的安全问题指引_java xml解析安全问题
作者:寸_铁 | 2024-07-15 04:23:34
赞
踩
java xml解析安全问题
最近一段时间被曝出的微信支付的XML解析存在的安全问题,主要问题是XML外部实体注入漏洞(XML External Entity Injection,简称 XXE),该安全问题是由XML组件默认没有禁用外部实体引用导致,非微信支付系统存在漏洞。微信官方做了回应,原文地址:https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5
如果你在使用支付业务回调通知中,存在以下场景有使用XML解析的情况,需要检查是否对进行了防范。
- 场景1:支付成功通知
- 场景2:退款成功通知
- 场景3:委托代扣签约、解约、扣款通知
- 场景4:车主解约通知
场景5:扫码支付模式一回调
微信官方的SDK已经升级,其中相关代码做了防范,如下:
package com.github.wxpay.sdk;
import org.w3c.dom.Document;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
/**
* 2018/7/3
*/
public final class WXPayXmlUtil {
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);
return documentBuilderFactory.newDocumentBuilder();
}
public static Document newDocument() throws ParserConfigurationException {
return newDocumentBuilder().newDocument();
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
如果您不是使用官方的SDK,而是自己解析的,可以参考下面的代码:
package com.jianggujin.magicpay.util;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.TransformerFactory;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;
/**
* XML工具
*
* @author jianggujin
*
*/
public class JXMLUtils {
private final static String FRATURE_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
private final static String FRATURE_EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
private final static String FRATURE_EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
private final static String FRATURE_LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
documentBuilderFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
documentBuilderFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
documentBuilderFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
// documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
// true);
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);
return documentBuilderFactory.newDocumentBuilder();
}
public static Document newDocument() throws ParserConfigurationException {
return newDocumentBuilder().newDocument();
}
public static SAXParserFactory newSAXParserFactory() throws ParserConfigurationException, SAXException {
SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
saxParserFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
saxParserFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
saxParserFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
return saxParserFactory;
}
public static SAXParser newSAXParser() throws ParserConfigurationException, SAXException {
return newSAXParserFactory().newSAXParser();
}
public static XMLReader newXMLReader() throws SAXException {
XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
// This may not be strictly required as DTDs shouldn't be allowed at all,
// per previous line.
reader.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
reader.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
reader.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
return reader;
}
public static TransformerFactory newTransformerFactory() {
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return transformerFactory;
}
public static XMLInputFactory newXMLInputFactory() {
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
// This disables DTDs entirely for that factory
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// disable external entities
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
return xmlInputFactory;
}
}- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
dom4j
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);- 1
- 2
- 3
jdom
SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Document doc = builder.build(new File(fileName));- 1
- 2
- 3
- 4
- 5
更多解决方案请参考:https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/寸_铁/article/detail/827693
推荐阅读
相关标签
