Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
DocumentBuilderFactory that mitigates XXE using OWASP guidance

Recommended mitigation:

Replace this dangerous code:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.isIgnoringElementContentWhitespace();
DocumentBuilder builder = factory.newDocumentBuilder();

With this safer code:

DocumentBuilder builder = DocumentBuilders.createSaferDocumentBuilder(factory -> {
    factory.isIgnoringElementContentWhitespace()
});

Add this utility interface somewhere:

// BASED ON SOURCE: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;

public interface DocumentBuilders
{
    interface ParserConfigurer
    {
        void configureParser(DocumentBuilderFactory factory) throws ParserConfigurationException;
    }

    static DocumentBuilder createSaferDocumentBuilder(ParserConfigurer parserConfigurer) throws ParserConfigurationException
    {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        factory.setXIncludeAware(false);
        factory.setExpandEntityReferences(false);
        parserConfigurer.configureParser(factory);

        return factory.newDocumentBuilder();
    }
}
@carlosvillasanchez
Copy link

carlosvillasanchez commented Aug 24, 2020

This is not outdated, is it?

@AlainODea
Copy link
Author

AlainODea commented Aug 24, 2020

@carlosvillasanchez what have you checked to determine that so far? I haven't checked in a while and I don't use Java in my current job. It's unlikely to have changed much since processing untrusted XML in a fully standards-compliant manner is inherently unsafe. Most of these mitigations are technically not compliant, but that rarely matters in practice. Check the referenced guide to see if this has drifted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment