Solve security issue parsing xml using SAX parser

Question

I have an android app, in which user can enter any xml source url to parse. My app then parses the xml(if valid) and displays results.

The issue is, if the user enters an untrusted xml source url, the app and/or the device might be effected.

What are the best ways to identify risk and prevent exploit.

With my research I found that enabling FEATURE_SECURE_PROCESSING and disabling expansion might help. But can anyone tell me what it is, and how do I achieve it.

Thanks.

Do you use a schema to validate the XML content? – May 31 '12 at 17:34 — , May 31 '12 at 17:34

score 6 · Accepted Answer · answered May 31 '12 at 18:01

6

After researching, I found this. I hope this would solve my problem.

To enable FEATURE_SECURE_PROCESSING

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Disable DTDs

spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

answered May 31 '12 at 18:01

dcanh121

4,665
11
37
84

2

Did this actually work? I am getting an exception when doing this. – digitizedx Oct 14 '17 at 19:24
@digitizedx Were you able to get out of exception. I am getting javax.xml.parsers.ParserConfigurationException: http://apache.org/xml/features/disallow-doctype-decl – Arpit Garg Sep 12 '18 at 14:57
@ArpitGarg. No. OWASP suggest some alternatives. So I just followed https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J – digitizedx Sep 14 '18 at 14:58

score 2 · Answer 2 · answered Jun 01 '12 at 13:17

For SAX and DOM parsers, disallowing DTD should be sufficient as dcanh121 noted.

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
For StAX parser:

factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);

Solve security issue parsing xml using SAX parser

2 Answers2