3

I have been given to understand that XInclude is a potential vulnerability when receiving XML from untrusted sources. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

The XML which I expect from external sources is quite simple and there is never any requirement for including external XML.

I have tried the following to disable XInclude (as recommended in the Cheat Sheet):

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

and used this XML to test

<?xml version="1.0" encoding="utf-8"?>
<data xmlns:xi="http://www.w3.org/2001/XInclude">
    <xi:include href="file://d/temp/badxml.xml" parse="xml">
    </xi:include>
</data>

The external file contains invalid XML.

I had expected that the parser would fail if setXIncludeAware is set to true but this is not the case. The snippet is always parseable. I am using Java 8.

Is this a valid test? Is this the correct way to avoid XInclude attacks?

paul
  • 13,312
  • 23
  • 81
  • 144
  • Wait, is the question on how to disable XInclude or is the question if the parsing should fail when an invalid XML file is included? – Progman Nov 06 '18 at 10:51
  • @Progman the main goal is to disable XInclude (as the title suggests). I am a bit confused as I expected something to happen when an XInclude is present e.g. a parsing error. Currently, I get no indication and am therefore not sure whether an attack would be averted or not. – paul Nov 06 '18 at 11:00
  • What happens when you try to load a valid XML file with enabled or disabled XInclude flag? You should get fewer data since the external file is not included. Is that the case for you? – Progman Nov 06 '18 at 11:09

1 Answers1

1

This is the correct way to avoid XInclude and entity attacks, but that is not a valid test for XInclude attacks, as you have discovered.

According to this answer, "XInclude support relies on namespace support, which is turned off by default for backward compatibility reasons". So call dbf.setNamespaceAware(true);

Robin Green
  • 32,079
  • 16
  • 104
  • 187