XMLInputFactory setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,"") gives Unrecognized property

Question

Environment: Java 8 / SpringBoot v1.3.3.RELEASE

This is an old Java code base. Recently sonar was introduced and my task is to fix Critical/Blocker level security vulnerabilities.

At this code sonar recommends to "Disable access to external entities in XML parsing".

XMLInputFactory factory = XMLInputFactory.newInstance();

As per the sonar recommendation I added following properties to the factory,

factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

However, when I run the unit tests it gives my following error,

java.lang.IllegalArgumentException: Unrecognized property 'http://javax.xml.XMLConstants/property/accessExternalDTD'

But it doesn't give me the any such error when I set the same properties for the DocumentBuilderFactory as follows,

DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

I did a bit of a research and found This Java bug. But it's fixed and also it's related to TransformerFactory. Couldn't find any such bug related to XmlInputFactory though.

Any workaround or fix is much appreciated

score 1 · Answer 1 · answered Nov 21 '22 at 09:14

I have applied the solution mentioned here and configured the XMLInputFactory object this way:

XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);

OWASP XML External Entity Prevention

XMLInputFactory setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,"") gives Unrecognized property

1 Answers1