[高端java课程]系列讲座
我在一个软件中发现了一个类XXEUtil,主要作用是阻止出现xxe漏洞,进行一个预防措施,这确实是一个好的方案。
奈何!这个方案有个重大的弱点,他不是类似spring框架的AOP编程的思想实现的切面编程,需要开发人员在实际使用xml的时候调用这个类中的方法。
我截取了这个类的代码如下:
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.sax.SAXTransformerFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dom4j.io.SAXReader;
import org.jdom.input.SAXBuilder;
import org.xml.sax.XMLReader;
public class XXEUtil {
private static final Log LOG = LogFactory.getLog(XXEUtil.class);
public static void prevent(XMLReader reader) {
if(reader != null) {
try {
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch (Exception var2) {
LOG.warn(var2);
}
}
}
public static void prevent(XMLInputFactory factory) {
if(factory != null) {
try {
factory.setProperty("javax.xml.stream.supportDTD", Boolean.valueOf(false));
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.valueOf(false));
} catch (Exception var2) {
LOG.warn(var2);
}
}
}
public static void prevent(SAXReader reader) {
if(reader != null) {
try {
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
} catch (Exception var2) {
LOG.warn(var2);
}
}
}
public static void prevent(SAXBuilder builder) {
if(builder != null) {
try {
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
} catch (Exception var2) {
LOG.warn(var2);
}
}
}
public static void prevent(SAXTransformerFactory sf) {
if(sf != null) {
try {
sf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
sf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
} catch (Exception var2) {
LOG.warn(var2);
}
}
}
public static void prevent(DocumentBuilderFactory dbf) {
if(dbf != null) {
try {
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch (Exception var2) {
LOG.warn(var2);
}
}
}
}
而我在全部代码中搜索,发现仅有一处地方调用了这个类的prevent函数。
public SXWFileParser(File file) {
try {
this.setFile(file);
String ex = file.getAbsolutePath();
this.redXArchive = new RedXArchive(ex);
this.reader = XMLReaderFactory.createXMLReader("org.apache.xerces.parsers.SAXParser");
this.reader.setFeature("http://xml.org/sax/features/validation", false);
this.reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
this.reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
this.reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
this.reader.setFeature("http://xml.org/sax/features/namespaces", true);
XXEUtil.prevent(this.reader);
this.handle = new RedXWriterContentHandler();
this.reader.setContentHandler(this.handle);
this.reader.setEntityResolver(this.handle);
} catch (Exception var3) {
log.error(var3.getMessage(), var3);
}
}
[高端java课程]本章重点
- 国人开发的东西往往都是各自为政
- 好的政策真正实施起来可能面目全非
- 越是你认为没问题的地方,也许越是可能发现问题
- 框架设计者以为自己做的很好,能防止大部分问题出现,而往往疏忽大意,这正是机会!