1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;

import org.dom4j.Document;
import org.dom4j.io.SAXReader;
import org.xml.sax.InputSource;

public class XXETest {

    public static String getXml(String fileName) {
        byte[] buf = new byte[512];
        String result = null;
        ByteArrayOutputStream out = null;
        InputStream fin = null;
        try {
            fin = XXETest.class.getResourceAsStream(fileName);
            out = new ByteArrayOutputStream();
            int len = fin.read(buf);
            while (len > 0) {
                out.write(buf, 0, len);
                len = fin.read(buf);
            }
            result = out.toString("utf-8");
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (out != null) {
                try {
                    out.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
            if (fin != null) {
                try {
                    fin.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
        return result;
    }

    public static void main(String[] args) throws Exception {
        //dom4jTest();
        domTest();
    }
    
    public static void dom4jTest() throws Exception {
        String xml = getXml("hello.xml");
        Document doc = null;
        // 有问题的代码
//      doc = DocumentHelper.parseText(xml);
        
        // 修改后的代码
        SAXReader reader = new SAXReader();
//      reader.setIncludeExternalDTDDeclarations(false); // 测试结果：不起作用；
//      reader.setIncludeInternalDTDDeclarations(false); // 测试结果：不起作用；
        reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // 主要是这句发挥作用！！！
        reader.setFeature("http://xml.org/sax/features/external-general-entities", false); // 测试结果：可不写；
        reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // 测试结果：可不写；
        reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); // 测试结果：可不写；
        String encoding = "utf-8"; // getEncoding(xml);
        InputSource source = new InputSource(new StringReader(xml));
        source.setEncoding(encoding);
        doc = reader.read(source);

        // if the XML parser doesn't provide a way to retrieve the encoding,
        // specify it manually
        if (doc.getXMLEncoding() == null) {
            doc.setXMLEncoding("utf-8");
        }
        System.out.println(doc.getRootElement().element("name").getText());
    }
    
    public static void domTest() throws Exception {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        // 有问题的代码
//      DocumentBuilder builder = dbf.newDocumentBuilder();
//      org.w3c.dom.Document doc = builder.parse(Test3.class.getResourceAsStream("hello.xml"));
        
        // 修改后的代码
        String FEATURE = null;
        // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
        // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
        FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
        dbf.setFeature(FEATURE, true); // 主要是这句发挥作用！！！
        
        // If you can't completely disable DTDs, then at least do the following:
        // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
        // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
        // JDK7+ - http://xml.org/sax/features/external-general-entities 
        FEATURE = "http://xml.org/sax/features/external-general-entities";
        dbf.setFeature(FEATURE, false); // 测试结果：可不写；
        
        // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
        // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
        // JDK7+ - http://xml.org/sax/features/external-parameter-entities 
        FEATURE = "http://xml.org/sax/features/external-parameter-entities";
        dbf.setFeature(FEATURE, false); // 测试结果：可不写；
        
        // Disable external DTDs as well
        FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
        dbf.setFeature(FEATURE, false); // 测试结果：可不写；
        
        // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
        dbf.setXIncludeAware(false); // 测试结果：可不写；
        dbf.setExpandEntityReferences(false); // 测试结果：可不写；
        DocumentBuilder builder = dbf.newDocumentBuilder();
        org.w3c.dom.Document doc = builder.parse(XXETest.class.getResourceAsStream("hello.xml"));
        System.out.println(doc.getElementsByTagName_r("name").item(0).getTextContent());
    }
    
}