Prevent XXE (External Entity Processing) Attack wi

2019-05-27 11:33发布

I know that we can prevent the XXE attack by setting the property IS_SUPPORTING_EXTERNAL_ENTITIES in the abstract class XMLInputFactory to false in JAXB.

I have also seen this stackoverflow answer.

My question here is,

How do I create a instance of XMLInputFactory and set this IS_SUPPORTING_EXTERNAL_ENTITIES property to false when the spring application loads up. And that particular XMLInputFactory instance should only be used for all the JAXB conversion for all the classes that uses javax.xml.bind.annotation package.

标签： spring web-services security jaxb javax.xml

1条回答

贼婆χ

2楼-- · 2019-05-27 12:06

Spring uses RequestMappingHandlerAdapter which is an AbstractHandlerMethodAdapter that supports HandlerMethods with the signature -- method argument and return types, defined in @RequestMapping.

There are 7 seven HttpMessageConverters and one of them is Jaxb2RootElementHttpMessageConverter

Jaxb2RootElementHttpMessageConverter is from the spring-web package.

From 3.2.8 version of spring-web onwards Jaxb2RootElementHttpMessageConverter sets the processExternalEntities to false which in turn sets the XMLInputFactory property IS_SUPPORTING_EXTERNAL_ENTITIES to false.

Refer :

http://grepcode.com/file/repo1.maven.org/maven2/org.springframework/spring-web/3.2.8.RELEASE/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java?av=f

Answer use
<dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>3.2.8.RELEASE</version> </dependency>

0人赞添加讨论(0) 举报

Prevent XXE (External Entity Processing) Attack wi

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间