Solve security issue parsing xml using SAX parser

About

Asked 31/5, 2012 at 16:37 Answered 1/6, 2012 at 13:17

Solved java android xml security saxparser

I have an android app, in which user can enter any xml source url to parse. My app then parses the xml(if valid) and displays results.

The issue is, if the user enters an untrusted xml source url, the app and/or the device might be effected.

What are the best ways to identify risk and prevent exploit.

With my research I found that enabling FEATURE_SECURE_PROCESSING and disabling expansion might help. But can anyone tell me what it is, and how do I achieve it.

Thanks.

Pazit answered 31/5, 2012 at 16:37 Comment(1)

Do you use a schema to validate the XML content? – Stapes 31/5, 2012 at 17:34

After researching, I found this. I hope this would solve my problem.

To enable FEATURE_SECURE_PROCESSING

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Disable DTDs

spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Pazit answered 31/5, 2012 at 18:1 Comment(3)

Did this actually work? I am getting an exception when doing this. – Donelu 14/10, 2017 at 19:24

@Donelu Were you able to get out of exception. I am getting javax.xml.parsers.ParserConfigurationException: apache.org/xml/features/disallow-doctype-decl – Mirabelle 12/9, 2018 at 14:57

@ArpitGarg. No. OWASP suggest some alternatives. So I just followed owasp.org/index.php/… – Donelu 14/9, 2018 at 14:58

For SAX and DOM parsers, disallowing DTD should be sufficient as dcanh121 noted.

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
For StAX parser:

factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);

Availability answered 1/6, 2012 at 13:17 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags