C validating xmlreader
The JAXP Document Builder Factory set Feature method allows a developer to control which implementation-specific XML processor features are enabled or disabled.
For a syntax highlighted code snippet for Document Builder Factory, click here. Parser Configuration Exception; // catching unsupported features ...This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.The following guide provides concise information to prevent this vulnerability.For a syntax highlighted code snippet for SAXParser Factory, click here. Document Builder Factory dbf = Document Builder Instance(); String FEATURE = null; try catch (Parser Configuration Exception e) catch (SAXException e) catch (IOException e) Note: Please use Java 7 update 67, Java 8 update 20 or above, otherwise the above countermeasures for Document Builder Factory and SAXParser Factory do not work . St AX parsers such as XMLInput Factory allow various properties and features to be set.To protect a Java XMLInput Factory from XXE, do this: Since an Unmarshaller parses XML and does not support any flags for disabling XXE, it’s imperative to parse the untrusted XML through a configurable secure parser first, generate a Source object as a result, and pass the source object to the Unmarshaller.And there is no way to make use of this class safe except to trust or properly validate the input being passed into it.
As such, we'd strongly recommend completely avoiding the use of this class and replacing it with a safe or properly configured XML parser as described elsewhere in this cheat sheet.
Both Document Builder Factory and SAXParser Factory XML Parsers can be configured using the same techniques to protect them against XXE.
Only the Document Builder Factory example is presented here.
For example: The read Object() method in this class is fundamentally unsafe.
Not only is the XML it parses subject to XXE, but the method can be used to construct any Java object, and execute arbitrary code as described here.
For more information on XXE, please visit XML External Entity (XXE) Processing.