Feature security processing instructs JAXP components such as parsers, transformers, and so on to behave in a secure fashion. Feature security processing is disabled by default.
Feature Security Processing Default Limitations
The following table describes which XML-related factory classes are disabled and which processing limits are set if feature security processing is enabled.
Table 12-2 Default Limitations Set by Feature Security Processing on XML-Related Factory Classes
XML-Related Factory Class Enabled? Processing Limits DocumentBuilderFactory truejdk.xml.entityExpansionLimit = 64000
jdk.xml.elementAttributeLimit = 1000
jdk.xml.maxOccurLimit = 5000
jdk.xml.entityExpansionLimit = 64000
jdk.xml.elementAttributeLimit = 10000
jdk.xml.maxOccurLimit = 5000
jdk.xml.maxOccurLimit = 5000 TransformerFactory false Extension functions disabled XPathFactory false Extension functions disabled
The following sections describes the processing limits in this table in detail and how you can change them.
Limiting Entity Expansion
Limit the the number of entity expansions by either setting the system property jdk.xml.entityExpansionLimit or the parser property http://apache.org/xml/properties/entity-expansion-limit. Both properties accept java.lang.Integer values. The parser throws a fatal error once it has reached the entity expansion limit. By default, entityExpansionLimit is set to 64,000.
The following command-line example sets the entity expansion limit to 10,000:
java -DentityExpansionLimit=10000 MyApp The following code example sets the entity expansion limit to 10,000:
System.setProperty("jdk.xml.entityExpansionLimit","10000");The following code example sets the parser property http://apache.org/xml/properties/entity-expansion-limit to 10,000:
DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();
dfactory.setAttribute(
"http://apache.org/xml/properties/entity-expansion-limit",
new Integer("10000"));
DocumentBuilder docBuilder = dbFactory.newDocumentBuilder();Limiting Number of Element Attributes
Limit the number of attributes in an element by either setting the system property jdk.xml.elementAttributeLimit or by setting the parser property http://apache.org/xml/properties/elementAttributeLimit. Both properties accept Integer values. By default, jdk.xml.elementAttributeLimit is set to 10,000. When the parser property http://apache.org/xml/properties/elementAttributeLimit is set, it overrides the system property. The parser throws a fatal error if the number of attributes in a element exceeds the limit.
The following command-line example sets the element attribute limit to 20:
java -Djdk.xml.elementAttributeLimit=20 MyAppThe following code example sets the element attribute limit to 20:
System.setProperty("jdk.xml.elementAttributeLimit","20");The following code example sets the parser property http://apache.org/xml/properties/entity-expansion-limit to 20:
DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();
dfactory.setAttribute(
"http://apache.org/xml/properties/elementAttributeLimit",
new Integer(20));
DocumentBuilder docBuilder = dbFactory.newDocumentBuilder();Limit Number of Nodes Created by Constructs That Contain maxOccurs
In constructs like xsd:sequence, the validating parser may use space (memory) proportional to the value of the maxOccurs occurrence indicator. This may cause the VM to run out of memory, or simply run for a very long time. To prevent potential attacks that exploit this behavior, enable secure processing on a factory as follows:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);Note that for xsd:element and xsd:any, the validating parser uses a constant amount of space, which is independent of the value of the maxOccurs occurrence indicator.
The default value of jdk.xml.maxOccurLimit is 5000. This system property limits the number of content model nodes that may be created when building a grammar for a W3C XML Schema that contains maxOccurs occurrence indicators with values other than "unbounded".
Disabling XPath and XSLT Extension Functions
By default, XPath and XSLT extension functions are disabled when feature secure processing is enabled. The following code enables feature secure processing and disables XPath and XSLT extension functions for XPathFactory:
XPathFactory xpf = xPathFactory.newInstance();
xpf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);The following code enables feature secure processing and disables XSLT extension functions for TransformerFactory:
TransformerFactory tf = TransformerFactory.newInstance();
tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);Security Issue Posed by Nested Entity Definitions
While XML does not allow recursive entity definitions, it does permit nested entity definitions, which produces the potential for Denial of Service attacks on a server which accepts XML data from external sources. For example, a SOAP document like the following that has very deeply nested entity definitions can consume 100% of CPU time and large amounts of memory in entity expansions:
<?xml version="1.0" encoding ="UTF-8"?>
<!DOCTYPE foobar[
<!ENTITY x100 "foobar">
<!ENTITY x99 "&x100;&x100;">
<!ENTITY x98 "&x99;&x99;">
...
<!ENTITY x2 "&x3;&x3;">
<!ENTITY x1 "&x2;&x2;">
]>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=...>
<SOAP-ENV:Body>
<ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="...">
<foobar xsi:type="xsd:string">&x1;</foobar>
</ns1:aaa>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope> You don't have worry about this issue if your system doesn't take in external XML data, but a system that does should turn on the secure processing feature and reset the limits as described in Limiting Entity Expansion and Limiting Number of Element Attributes.
Disallowing DTDs
When you set the http://apache.org/xml/features/disallow-doctype-decl parser property to true, a fatal error is then thrown if the incoming XML document contains a DOCTYPE declaration. (The default value for this property is false.) This property is typically useful for SOAP based applications where a SOAP message must not contain a Document Type Declaration.
Secure Processing Using StAX
The class XMLInputFactory includes the property javax.xml.stream.supportDTD that requests processors that do not support DTDs. StAX includes a similar property, XMLInputFactory.SUPPORT_DTD, that you can use to disable DTD processing:
XMLInputFactory xif = XMLInputFactory.newInstance();
xif.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);Resolving External Resources
The following system properties restrict how XML parsers resolve external resources:
javax.xml.XMLConstants.ACCESS_EXTERNAL_DTDjavax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMAjavax.xml.XMLConstants.ACCESS_EXTERNAL_STYLESHEETSee JAXP 1.5 and New Properties in The Java Tutorials for more information about these properties.
Turning off Feature Secure Processing
Turn off feature secure processing by calling the setFeature method on factories. The following code example turns off feature secure processing for the SAX parser:
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,false);When you turn off feature secure processing for the DOM or SAX parser, you remove the default limiations specified by jdk.xml.entityExpansionLimit, jdk.xml.elementAttributeLimit, and jdk.xml.maxOccurLimit.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4