Update: XML External Entity Prevention Cheat Sheet

Question

Update: XML External Entity Prevention Cheat Sheet

JoeFound opened this issue 2 years ago · 2 comments

What is missing or needs to be updated?

The section JAXP DocumentBuilderFactory, SAXParserFactory and DOM4J is a bit confusing to understand correctly when deciding what are the features to consider.
The section:
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false);
sounds as it is required only when disallow-doctype-decl is not applicable, whilst it is required in all cases.

Additionally setExpandEntityReferences(false); is a not available for SAXParserFactory, where it would be possible to use

setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
to mitigate the risk of Resource Exaustion.

How should this be resolved?

Adding additional comments before the dbf.setXIncludeAware(false); line to clarify that is required regardless of the Xerces version and possibly add a separate code snippet section featuring the remediation for SAXParserFactory.

Answer 1 · 2022-10-17T08:16:11.000Z

Good point! Thanks! @JoeFound do you want to make a PR?

Answer 2 · 2023-03-29T21:46:27.000Z

Closing this Issue, since the PR is now merged