Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
DocumentBuilderFactory that mitigates XXE using OWASP guidance

Recommended mitigation:

Replace this dangerous code:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.isIgnoringElementContentWhitespace();
DocumentBuilder builder = factory.newDocumentBuilder();

With this safer code:

DocumentBuilder builder = DocumentBuilders.createSaferDocumentBuilder(factory -> {
    factory.isIgnoringElementContentWhitespace()
});

Add this utility interface somewhere:

// BASED ON SOURCE: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;

public interface DocumentBuilders
{
    interface ParserConfigurer
    {
        void configureParser(DocumentBuilderFactory factory) throws ParserConfigurationException;
    }

    static DocumentBuilder createSaferDocumentBuilder(ParserConfigurer parserConfigurer) throws ParserConfigurationException
    {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        factory.setXIncludeAware(false);
        factory.setExpandEntityReferences(false);
        parserConfigurer.configureParser(factory);

        return factory.newDocumentBuilder();
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.