赞
踩
[高端java课程]系列讲座
我在一个软件中发现了一个类XXEUtil,主要作用是阻止出现xxe漏洞,进行一个预防措施,这确实是一个好的方案。
奈何!这个方案有个重大的弱点,他不是类似spring框架的AOP编程的思想实现的切面编程,需要开发人员在实际使用xml的时候调用这个类中的方法。
我截取了这个类的代码如下:
- import javax.xml.parsers.DocumentBuilderFactory;
- import javax.xml.stream.XMLInputFactory;
- import javax.xml.transform.sax.SAXTransformerFactory;
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
- import org.dom4j.io.SAXReader;
- import org.jdom.input.SAXBuilder;
- import org.xml.sax.XMLReader;
-
- public class XXEUtil {
-
- private static final Log LOG = LogFactory.getLog(XXEUtil.class);
-
-
- public static void prevent(XMLReader reader) {
- if(reader != null) {
- try {
- reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- } catch (Exception var2) {
- LOG.warn(var2);
- }
-
- }
- }
-
- public static void prevent(XMLInputFactory factory) {
- if(factory != null) {
- try {
- factory.setProperty("javax.xml.stream.supportDTD", Boolean.valueOf(false));
- factory.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.valueOf(false));
- } catch (Exception var2) {
- LOG.warn(var2);
- }
-
- }
- }
-
- public static void prevent(SAXReader reader) {
- if(reader != null) {
- try {
- reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
- reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- } catch (Exception var2) {
- LOG.warn(var2);
- }
-
- }
- }
-
- public static void prevent(SAXBuilder builder) {
- if(builder != null) {
- try {
- builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
- builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- } catch (Exception var2) {
- LOG.warn(var2);
- }
-
- }
- }
-
- public static void prevent(SAXTransformerFactory sf) {
- if(sf != null) {
- try {
- sf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
- sf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
- } catch (Exception var2) {
- LOG.warn(var2);
- }
-
- }
- }
-
- public static void prevent(DocumentBuilderFactory dbf) {
- if(dbf != null) {
- try {
- dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- } catch (Exception var2) {
- LOG.warn(var2);
- }
-
- }
- }
-
- }
而我在全部代码中搜索,发现仅有一处地方调用了这个类的prevent函数。
- public SXWFileParser(File file) {
- try {
- this.setFile(file);
- String ex = file.getAbsolutePath();
- this.redXArchive = new RedXArchive(ex);
- this.reader = XMLReaderFactory.createXMLReader("org.apache.xerces.parsers.SAXParser");
- this.reader.setFeature("http://xml.org/sax/features/validation", false);
- this.reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
- this.reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- this.reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
- this.reader.setFeature("http://xml.org/sax/features/namespaces", true);
- XXEUtil.prevent(this.reader);
- this.handle = new RedXWriterContentHandler();
- this.reader.setContentHandler(this.handle);
- this.reader.setEntityResolver(this.handle);
- } catch (Exception var3) {
- log.error(var3.getMessage(), var3);
- }
-
- }
[高端java课程]本章重点
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。