CODEWITHSUNDEEP
javafortifyxxe
veera
veera

Reputation: 317

Fortify fix for XML External Entity Injection

When I do scan using fortify tool, I got some issues under "XML External Entity Injection". 

TransformerFactory trfactory = TransformerFactory.newInstance();

This is the place where it is showing error. I have given the below fix as suggested by fortify 

trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false); 
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

but still the issues are not fixed. How to fix this issue?

Upvotes: 9

Views: 28207

Answers (5)

Abhishek Das
Abhishek Das

Reputation: 1

Add this line. It worked for me. 

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Upvotes: 0

Kondal Kolipaka
Kondal Kolipaka

Reputation: 3559

TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

This would be sufficient.

Upvotes: 4

Ben Wong
Ben Wong

Reputation: 1

You can also try:

    TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
    Transformer transformer = transformerFactoryImpl.newTransformer();
    transformer.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Upvotes: 0

Prathamesh Ketgale
Prathamesh Ketgale

Reputation: 417

Sometime it will not work if java version is not compatible.

if (javaVersion > 1.6) {
        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      }
else {
        if (javaVersion > 1.5) {
          dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
          dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
        }
else {
          dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
          dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
        }
 }

It worked for me :-)

Upvotes: 1

veera
veera

Reputation: 317

I tried with "Xalan" implementation class instead of TransformerFactory.newInstance().It worked for me and fortify issue got fixed

        TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
        Transformer transformer = transformerFactoryImpl.newTransformer();

Upvotes: 0

Related Questions