Update: XML External Entity Prevention Cheat Sheet
JoeFound opened this issue · 2 comments
What is missing or needs to be updated?
The section JAXP DocumentBuilderFactory, SAXParserFactory and DOM4J is a bit confusing to understand correctly when deciding what are the features to consider.
The section:
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false);
sounds as it is required only when disallow-doctype-decl is not applicable, whilst it is required in all cases.
Additionally setExpandEntityReferences(false);
is a not available for SAXParserFactory
, where it would be possible to use
setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
to mitigate the risk of Resource Exaustion.
How should this be resolved?
Adding additional comments before the dbf.setXIncludeAware(false);
line to clarify that is required regardless of the Xerces version and possibly add a separate code snippet section featuring the remediation for SAXParserFactory.
Closing this Issue, since the PR is now merged