問(wèn)題描述
我們對(duì)代碼進(jìn)行了安全審計(jì),其中提到我們的代碼容易受到 XML 外部實(shí)體 (XXE) 攻擊.
We had a security audit on our code, and it mentioned that our code is vulnerable to XML EXternal Entity (XXE) attacks.
XML 外部實(shí)體攻擊受益于在處理時(shí)動(dòng)態(tài)構(gòu)建文檔的 XML 特性.一個(gè) XMLentity 允許動(dòng)態(tài)地包含來(lái)自給定資源的數(shù)據(jù).外部實(shí)體允許 XML 文檔包含數(shù)據(jù)來(lái)自外部 URI.除非另外配置,否則外部實(shí)體會(huì)強(qiáng)制 XML 解析器訪問(wèn)指定的資源通過(guò) URI,例如,本地計(jì)算機(jī)或遠(yuǎn)程系統(tǒng)上的文件.此行為將應(yīng)用程序暴露給 XML External實(shí)體 (XXE) 攻擊,可用于執(zhí)行本地系統(tǒng)的拒絕服務(wù),獲得對(duì)文件的未經(jīng)授權(quán)的訪問(wèn)本地機(jī)器,掃描遠(yuǎn)程機(jī)器,并對(duì)遠(yuǎn)程系統(tǒng)執(zhí)行拒絕服務(wù).
Explanation
XML External Entities attacks benefit from an XML feature to build documents dynamically at the time of processing. An XML entity allows inclusion of data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote system. This behavior exposes the application to XML External Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.
以下 XML 文檔顯示了 XXE 攻擊的示例.
The following XML document shows an example of an XXE attack.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
如果 XML 解析器嘗試將實(shí)體替換為/dev/random 文件.
This example could crash the server (on a UNIX system), if the XML parser attempts to substitute the entity with the contents of the /dev/random file.
應(yīng)該安全地配置 XML 解組器,以使其不允許外部實(shí)體作為傳入 XML 的一部分文件.
The XML unmarshaller should be configured securely so that it does not allow external entities as part of an incoming XML document.
為避免 XXE 注入,請(qǐng)勿使用將 XML 源直接處理為 java.io.File、java.io.Reader 或java.io.InputStream.使用安全配置的解析器解析文檔,并使用將安全解析器作為 XML 源的解組方法,如下例所示:
To avoid XXE injection do not use unmarshal methods that process an XML source directly as java.io.File, java.io.Reader or
java.io.InputStream. Parse the document with a securely configured parser and use an unmarshal method that takes the secure parser as the XML source as shown in the following example:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
DocumentBuilder db = dbf.newDocumentBuilder();
Document document = db.parse(<XML Source>);
Model model = (Model) u.unmarshal(document);
以下代碼是審計(jì)發(fā)現(xiàn) XXE 攻擊的地方:
The code below is where the audit found the XXE attack:
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
System.out.println("outputing to : " + outputLocation);
File outputFile = new File(outputLocation);
StreamResult result = new StreamResult(outputFile);
DOMSource source = new DOMSource(doc);
transformer.transform(source, result);
如何在我的代碼中實(shí)施上述建議?我在哪里漏掉了東西?
How can I implement the above recommendation in my code? Where am I missing things?
推薦答案
您可以使用與 DocumentBuilderFactory 相同的方法:
You can use the same approach with DocumentBuilderFactory:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
...
要讓每個(gè)人都自動(dòng)使用它,您需要?jiǎng)?chuàng)建自己的實(shí)現(xiàn)(通過(guò)擴(kuò)展您當(dāng)前使用的實(shí)現(xiàn);使用您的調(diào)試器來(lái)找出答案).在構(gòu)造函數(shù)中設(shè)置特征.
To make everyone use this automatically, you need to create your own implementation (by extending the one which you're currenly using; use your debugger to find out). Set the feature in the constructor.
然后你可以將System屬性javax.xml.parsers.DocumentBuilderFactory中的新工廠使用到Java VM,每個(gè)人都會(huì)使用它.
Then you can pass the new factory to use in the System property javax.xml.parsers.DocumentBuilderFactory to the Java VM and everyone will use it.
這篇關(guān)于如何防止 XXE 攻擊的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!