Harshit Bansal
Reputation: 71
Prevent SSRF rest endpoint with xml input
I'm writing a rest endpoint using spring boot which accepts reqeuest body as xml. Added dependency as jackson-dataformat-xml. I want prevent SSRF by ignoring dtd processing, xxe etc. How can I configure my application for this.
I see by default below configured for XMLMapper but still it processes doctype
xmlIn.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); // and ditto wrt [dataformat-xml#211], SUPPORT_DTD xmlIn.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
Upvotes: 0
Views: 30
Answers (0)
Related Questions
- Cannot use XmlMapper (Jackson-dataformat-xml) in Spring boot, error: requiresPropertyOrdering()Z
- Spring 5 -jackson-dataformat-xml forces @ResponseBody with XML
- Spring Boot REST endpoint ignores Content-Type
- Spring Boot Rest Service Form too large
- Swagger 2.8.0 unable to generate api-docs
- Convert Xml request to Object Spring Boot
- spring-boot /health endpoint not supporting media type xml after upgrade to 1.3.0