最新的项目被微信告知一个漏洞需要解决,说是“XML外部实体注入漏洞”
也就是说 涉及微信回调解析xml的过程需要补充一个防止外部实体注入的代码,以下以DOM为例。
具体代码如下:
这个是一个公共的方法 用来解析之前加入xml防护
package com.net.pay.wxpay.util;
import java.io.IOException;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.log4j.Logger;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
/**
* 补充xml的防护
* create by zhangqi 2018-11-19
*/
public class WXPayXmlUtil {
private static Logger log = Logger.getLogger(WXPayXmlUtil.class);
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
try {
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";