声纳推荐的防止XXE攻击的解决方案似乎并未缓解XXE十亿个笑声攻击

问题描述

XXE安全威胁目前没有。 OWASP十大Web应用程序安全威胁列表中的第4个，因此我希望Java标准XML库可以防止此类攻击。但是，当我以Sonar推荐的方式使用Validator类时，规则“ XML解析器不应受到XXE攻击（java：S2755）”（link to rule）的攻击：

String xsd = "xxe.xsd";
String xml = "billionlaughs.xml";
StreamSource xsdStreamSource = new StreamSource(xsd);
StreamSource xmlStreamSource = new StreamSource(xml);

SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = schemaFactory.newSchema(xsdStreamSource);
schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,"");
schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA,"");
// validators will also inherit of these properties
Validator validator = schema.newValidator();

validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,"");   // Compliant
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA,"");   // Compliant

StringWriter writer = new StringWriter();
validator.validate(xmlStreamSource,new StreamResult(writer));

在Java 11中，billionlaughs.xml是

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

我收到以下异常：

Exception in thread "main" org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK.
    at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
    at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:400)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:284)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1413)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1337)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEntityReference(XMLDocumentFragmentScannerImpl.java:1842)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2982)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:112)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:534)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:888)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:824)
    at java.xml/com.sun.org.apache.xerces.internal.jaxp.validation.StreamValidatorHelper.validate(StreamValidatorHelper.java:176)
    at java.xml/com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorImpl.validate(ValidatorImpl.java:115)
    at trial.Trial.main(Trial.java:35)

所以我的问题是，这是否被认为是减轻十亿个笑声攻击的正确方法（毕竟，实体扩展限制为64000个），或者是否存在另一种配置XML解析的方法来避免查看<!DOCTYPE ..>部分。

解决方法

OWASP Top Ten entry和SonarSource rule都约XML External Entities，而“十亿个笑声”攻击是使用XML Internal Entities构建的。内部实体定义为：

[...]没有单独的物理存储对象，并且实体的内容在声明中给出。

自at least Java 1.5以来，Java一直具有您遇到的实体扩展限制。

但是，仍然需要建议的缓解措施来防止XML外部实体攻击。您可以使用OWASP网站或SonarSource规则中提供的示例之一自己进行测试。例如，让您的Validator验证以下内容（假设您的操作系统是Linux）：

sharpe()

然后让您的代码随后输出<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>的值。您将看到，在没有缓解措施的情况下，它包含StringWriter writer文件的内容。

如OWASP XML External Entity Prevention Cheat Sheet所述，在某些情况下，您还可以完全禁用DTD（文档类型定义）以同时禁止外部和内部实体。

ddos java java security sonarqube xxe

声纳推荐的防止XXE攻击的解决方案似乎并未缓解XXE十亿个笑声攻击

问题描述

解决方法

相关问答