关于xml xxe漏洞的疑问

wanjunjun

积分: 920

这家伙很懒，什么个性签名都没有留下。

@wendal
hi! 大神好
请问nutz里面，Xmls类里面，直接new DocumentBuilderFactory(), 是否存在XML外部实体注入漏洞？
相关代码贴在下面了。

public static DocumentBuilder xmls() throws ParserConfigurationException {
        return DocumentBuilderFactory.newInstance().newDocumentBuilder();
    }

public abstract class DocumentBuilderFactory {

    private boolean validating = false;
    private boolean namespaceAware = false;
    private boolean whitespace = false;
    private boolean expandEntityRef = true;//这里是否有XML外部实体注入漏洞？
    private boolean ignoreComments = false;
    private boolean coalescing = false;

    /**
     * <p>Protected constructor to prevent instantiation.
     * Use {@link #newInstance()}.</p>
     */
    protected DocumentBuilderFactory () {
    }

wendal

1楼•2325天前

java不受影响吧?

wanjunjun

2楼•2325天前

这个也不确定，微信官方建议的好像是要设置expandEntityRef =false，不允许加载外部实体，我看代码里面默认是没有禁用的。

wendal

3楼•2325天前

改成这样??

    public static DocumentBuilder xmls() throws ParserConfigurationException {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setExpandEntityReferences(false);
        return factory.newDocumentBuilder();
    }

wanjunjun

4楼•2325天前

看起来是要这样修复，没做过测试，不确定额。。。。

wendal

5楼•2325天前

https://gitee.com/nutz/nutzwx/commit/a3fdd82fc169b2b143d6a051ce46fb2286ed9b5f

wanjunjun

6楼•2325天前

我升级了，收到支付消息后报错了，提示：[Fatal Error] :1:1: 前言中不允许有内容
这个不清楚是什么原因导致的.

wendal

7楼•2325天前

据说微信又更新了方案, 我再改改

wanjunjun

8楼•2325天前

OK，辛苦了。。。

wendal

9楼•2325天前

我push了, 你能下载代码测试不?

wanjunjun

10楼•2325天前

刚更新了下，是这个方法吗?
public static DocumentBuilder xmls() throws ParserConfigurationException, SAXException, IOException {
//修复XXE form https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String FEATURE = null;
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
factory.setFeature(FEATURE, true);
FEATURE = "http://xml.org/sax/features/external-general-entities";
factory.setFeature(FEATURE, false);
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
factory.setFeature(FEATURE, false);
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
factory.setFeature(FEATURE, false);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
return factory.newDocumentBuilder();