All geek questions in one place

Can JAXB be configured to prevent object expansion attacks?

Usually, when parsing XML in java, you can avoid falling victim to attacks on object expansion with

dbf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);

Where dbf is the DocumentBuilderFactory used to create the XML syntax of DocumentBuilders.

However, suppose I don't understand XML using JAXB, for example. eg:

  final JAXBContext context = JAXBContext.newInstance(MyClass.class); final Unmarshaller unmarshaller = context.createUnmarshaller(); final MyClass result = (MyClass) unmarshaller.unmarshal(input);

How to configure JAXB to use FEATURE_SECURE_PROCESSING on a basic XML parser?

Google for answers produces the following result: http://forums.java.net/node/699983

However, I do not want to inject XMLStreamFactory, etc. into the implementation. just to make expanding the entity possible. Is there a way to solve this problem using only the JAXB API?

+4
source share
3 answers

Java SE 5 limits the number of entity extensions to 64,000:

I would expect all JAXB implementations to leave this protection by default. However, if you want to be 100% sure that you can create a SAXSource as follows and disable JAXB, that:

 SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); SAXParser sp = spf.newSAXParser(); XMLReader xmlReader = sp.getXMLReader(); SAXSource saxSource = new SAXSource(xmlReader, inputSource);

For more information see

+10
source

I used code very similar to the code in Blaze's answer, and recently discovered that he had a subtle problem. The XMLReader that I received from SAXParser was not configured to understand namespaces, which meant that it did not properly handle elements such as

 <myType> <myIntegerElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/> </myType>

Instead of JAXB unmarshalling myIntegerElement for null Integer in Java, it was decoded to Integer.valueOf(0) ; important difference for my code. The solution was to set the factory parser as a namespace:

 SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setNamespaceAware(true); spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); SAXParser sp = spf.newSAXParser(); // and so on

I found this rather unexpected, because if I got my XMLReader by executing XMLReaderFactory.createXMLReader() , then the reader had no problems with nillable elements, but he also did not understand XMLConstants.FEATURE_SECURE_PROCESSING.

+1
source

Well, first of all, xmlstreamfactory is part of jdk, so you don’t need to “embed them”. secondly, you can always analyze the DOM yourself (safely), and then execute JAXB on the DOM instead of the raw thread. finally, you can also create your own SAXParser (configured for safe processing) and pass it to JAXB (which Blaze mentioned, just saw it) (the built-in jaxb impl in jdk uses the XMLReader from SAXParser as an internal parser for InputStream).

0
source

Source: https://habr.com/ru/post/1343330/

More articles:


All Articles