0

To prevent XXE attack, I am trying to override default DocumentBuilderFactoryImpl for weblogic 12c and use my own parser.

I am trying below code.

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;

import com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl;

public class CustomDocumentBuilderFactoryImpl extends DocumentBuilderFactoryImpl  {

    @Override
    public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
        System.out.println("*************************************************************************************");
        System.out.println("*************************************************************************************");
        System.out.println("Adding Features to DocumentBuilder.....");


        super.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
        super.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        super.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        super.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        super.setFeature("http://apache.org/xml/features/dom/defer-node-expansion", false);
        super.setXIncludeAware(false);
        super.setExpandEntityReferences(false);
        System.out.println("Returning DocumentBuilder.....");
        System.out.println("*************************************************************************************");
        System.out.println("*************************************************************************************");
       return super.newDocumentBuilder();
    }

    @Override
    public void setAttribute(String name, Object value) throws IllegalArgumentException {
        // TODO Auto-generated method stub

    }

    @Override
    public Object getAttribute(String name) throws IllegalArgumentException {
        // TODO Auto-generated method stub
        return null;
    }

    @Override
    public void setFeature(String name, boolean value) throws ParserConfigurationException {
        // TODO Auto-generated method stub

    }

    @Override
    public boolean getFeature(String name) throws ParserConfigurationException {
        // TODO Auto-generated method stub
        return false;
    }

}

but with no luck.

Can anyone help me with this? Is there any way of doing this?

*****EDIT******

I have tried Spring-Security config to prevent XXE.

<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" scope="singleton"
          init-method="initialize">
        <property name="builderFeatures">
            <map>
                <entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
                <entry key="http://javax.xml.XMLConstants/feature/secure-processing" value="true"/>
                <entry key="http://apache.org/xml/features/disallow-doctype-decl" value="true"/>
                <entry key="javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING" value="true"/>
            </map>
        </property>
<!--        <property name="builderFactory" ref="builderFactoryCustom"/>-->

        <property name="namespaceAware" value="true"/>
        <property name="expandEntityReferences" value="false"/>
    </bean>

This code is working with Tomcat but not working with Weblogic.

SubhenduGN
  • 21
  • 2
  • 14
  • 1
    What does "but with no luck" means exactly ? not compiling ? not working code ? XXE are executed ? – SPoint Feb 26 '20 at 13:26
  • XXE Still executing – SubhenduGN Feb 27 '20 at 11:17
  • 1
    Did you try with this : `factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ` – SPoint Mar 02 '20 at 10:19

0 Answers0