amarzeet
Reputation: 63
XML External Entity injection in xsd upload
I am uploading a xsd in my j2ee based web application which is genrating java classes and that is used later for processing. Uploading xsd has been identified as exploitable for XML External Entity injection. I searched lot of places and understood how it can be fixed for xml . But there no clarity on XSD Let me know if somebody has any idea on this.
Thanks in advance
Upvotes: 0
Views: 760
Answers (2)
amarzeet
Reputation: 63
SchemaCompiler schemaCompiler = XJC.createSchemaCompiler();
schemaCompiler.setDefaultPackageName(packageName);
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(new FileInputStream(xsdFile));
try {
schemaCompiler.parseSchema(xsdFile.toURI().toString(),xmlStreamReader);
} catch (XMLStreamException e) {
// handle exception
}
Upvotes: 0
Michael Kay
Reputation: 163595
There's nothing special for XSD here. An XSD document is just like any other XML document as far as this attack vector is concerned.
Upvotes: 1
Related Questions
- Veracode XML External Entity Reference (XXE)
- how to Prevent XML Entity Injection with JAXB
- HP fortify XML External Entity Injection
- Preventing XXE (External XML Entity) Injection with Xerces 2
- Preventing XML External Entity Injection in Soap Based Web Services under JBoss EAP 5.0.1
- How to restrict an ENTITY tag in xml file using xsd
- Is there a way to restrict an XML document from containing external entity references via XSD schema?
- XML Data Injection in the response XML from web service
- xml document having external references
- Uploading an XML file, referencing an XSD, in ASP.Net