TechQA.

Java SAX parser, How do I prevent character references entirely? (DoS attack)

935 views Asked by At

The XML files of incoming request needs to be validated. One requierement is that character references are prevented entirely because of possible DoS attacks. If I configure the SAXParserFactory like below:

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

then the parer still resolves 100.000 entity expansions.

The parser has encountered more than "100.000" entity expansions in this document; this is the limit imposed by the application.

The prevention of external references was done via an EntityResolver which works fine. But how do I prevent the character references?

java xml saxparser denial-of-service character-reference
Original Q&A
2

There are 2 answers

7
Michael Kay On BEST ANSWER

Character references cannot cause a denial of service attack, so there is no reason to prevent them.

0
My-Name-Is On

An instance of org.apache.xerces.util.SecurityManager can limit the amount of entity expansions. Here's the an example.

SAXParser saxParser = spf.newSAXParser();
org.apache.xerces.util.SecurityManager mgr = new org.apache.xerces.util.SecurityManager();
mgr.setEntityExpansionLimit(-1);
saxParser.setProperty("http://apache.org/xml/properties/security-manager", mgr);

With this, the parsing process terminates if the XML file contains at least one entity reference. Now there's no more need for an EntityResolver.

The jar file which contains the SecurityManager can be downloaded here.

Related Questions in JAVA

Related Questions in XML

Related Questions in SAXPARSER

Related Questions in DENIAL-OF-SERVICE

Related Questions in CHARACTER-REFERENCE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions