关于XML解析存在的安全问题指引
场景1:⽀付成功通知
场景2:退款成功通知
场景3:委托代扣签约、解约、扣款通知
场景4:车主解约通知
场景5:扫码⽀付模式⼀回调
官⽅的SDK已经升级,其中相关代码做了防范,如下:
package com.github.wxpay.sdk;
import org.w3c.dom.Document;
l.XMLConstants;
l.parsers.DocumentBuilder;
l.parsers.DocumentBuilderFactory;
l.parsers.ParserConfigurationException;
/**
* 2018/7/3
*/
public final class WXPayXmlUtil {
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory = wInstance();
documentBuilderFactory.setFeature("/xml/features/disallow-doctype-decl", true);
documentBuilderFactory.setFeature("/sax/features/external-general-entities", false);
documentBuilderFactory.setFeature("/sax/features/external-parameter-entities", false);
documentBuilderFactory.setFeature("/xml/features/nonvalidating/load-external-dtd", false);
documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);
使用dom4j解析xml文件wDocumentBuilder();
}
public static Document newDocument() throws ParserConfigurationException {
return newDocumentBuilder().newDocument();
}
}
如果您不是使⽤官⽅的SDK,⽽是⾃⼰解析的,可以参考下⾯的代码:
package com.jianggujin.magicpay.util;
l.XMLConstants;
l.parsers.DocumentBuilder;
l.parsers.DocumentBuilderFactory;
l.parsers.ParserConfigurationException;
l.parsers.SAXParser;
l.parsers.SAXParserFactory;
l.stream.XMLInputFactory;
l.transform.TransformerFactory;
import org.w3c.dom.Document;
l.sax.SAXException;
l.sax.XMLReader;
l.sax.helpers.XMLReaderFactory;
/**
* XML⼯具
* XML⼯具
*
* @author jianggujin
*
*/
public class JXMLUtils {
private final static String FRATURE_DISALLOW_DOCTYPE_DECL = "/xml/features/
disallow-doctype-decl"; private final static String FRATURE_EXTERNAL_GENERAL_ENTITIES = "/sax/features/external-general-entities"; private final static String FRATURE_EXTERNAL_PARAMETER_ENTITIES = "/sax/features/external-parameter-entities"; private final static String FRATURE_LOAD_EXTERNAL_DTD = "/xml/features/nonvalidating/load-external-dtd";
public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory = wInstance();
documentBuilderFactory.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
documentBuilderFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
documentBuilderFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
documentBuilderFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
// documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
// true);
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);
wDocumentBuilder();
}
public static Document newDocument() throws ParserConfigurationException {
return newDocumentBuilder().newDocument();
}
public static SAXParserFactory newSAXParserFactory() throws ParserConfigurationException, SAXException {
SAXParserFactory saxParserFactory = wInstance();
saxParserFactory.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
saxParserFactory.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
saxParserFactory.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
return saxParserFactory;
}
public static SAXParser newSAXParser() throws ParserConfigurationException, SAXException {
return newSAXParserFactory().newSAXParser();
}
public static XMLReader newXMLReader() throws SAXException {
XMLReader reader = ateXMLReader();
reader.setFeature(FRATURE_DISALLOW_DOCTYPE_DECL, true);
// This may not be strictly required as DTDs shouldn't be allowed at all,
// per previous line.
reader.setFeature(FRATURE_LOAD_EXTERNAL_DTD, false);
reader.setFeature(FRATURE_EXTERNAL_GENERAL_ENTITIES, false);
reader.setFeature(FRATURE_EXTERNAL_PARAMETER_ENTITIES, false);
return reader;
}
public static TransformerFactory newTransformerFactory() {
TransformerFactory transformerFactory = wInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return transformerFactory;
}
public static XMLInputFactory newXMLInputFactory() {
XMLInputFactory xmlInputFactory = wInstance();
// This disables DTDs entirely for that factory
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// disable external entities
xmlInputFactory.setProperty("l.stream.isSupportingExternalEntities", false);
return xmlInputFactory;
}
dom4j jdom }
}
saxReader.setFeature("/xml/features/disallow-doctype-decl", true); saxReader.setF
eature("/sax/features/external-general-entities", false); saxReader.setFeature("/sax/features/external-parameter-entities", false);
SAXBuilder builder = new SAXBuilder();
builder.setFeature("/xml/features/disallow-doctype-decl",true); builder.setFeature("/sax/features/external-general-entities", false); builder.setFeature("/sax/features/external-parameter-entities", false); Document doc = builder.build(new File(fileName));
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论