Groovy avoid XML External Entity Injection

Question

I have a problem with xml external entity injection.

Working example:

def xslt = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
            "<!DOCTYPE a [\n" +
            "<!ENTITY e SYSTEM \"/etc/passwd\"> ]>\n" +
            "    <xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" version=\"1.0\">\n" +
            "        <xsl:template match=\"/\">\n" +
            "\n" +
            "          <Row>\n" +
            "             &e;\n" +
            "          </Row>\n" +
            "        </xsl:template>\n" +
            "    </xsl:stylesheet>"

    def input = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
            "<Records>\n" +
            "  <Row>\n" +
            "     <data>data1</data>\n" +
            "  </Row>\n" +
            "</Records>"
    TransformerFactory factory = TransformerFactory.newInstance();
    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    StreamSource xsltStream = new StreamSource(new ByteArrayInputStream(xslt.getBytes()))

    Transformer transformer = factory.newTransformer(xsltStream);
    StreamSource ins = new StreamSource(new ByteArrayInputStream(input.getBytes()))
    ByteArrayOutputStream bout = new ByteArrayOutputStream()
    StreamResult out = new StreamResult(bout);
    transformer.transform(ins, out);
    print bout.toString()

As result the contents of the /etc/passwd file are displayed. What can I do to avoid this problem?

The security feature is set, but is it not working?

Don't just process XML that you're given without checking it first? — tim_yates, Sep 30 '15 at 17:50
The user should be able to use it's own xml and xlst in my software, I can't check it first — Peter, Oct 02 '15 at 19:01

Groovy avoid XML External Entity Injection

0 Answers0