Talk:XML External Entity (XXE) Processing

XXE Prevention in Java / Using an own EntiyResolver Implementation?
Context: We write Java Software, used in quite different environment (div. Operating System, OpenJDK, IBM-JDK, Sun-JDK, JDK 6 - JDK8). I am not really happy with the described solution to prevent External Entity Injection, because it is depending on some special XML parser Implementations.

To prevent External Entity Injection flaws we primarily use our own EntityResolver and we think this alone should be enough to ensure that the parser can not access resources via URL´s from SGML Entity Declarations.

Our Entity Resolver looks like:

public class SecureEntityResolver implements EntityResolver { List allowedSystemIds = new ArrayList;

@Override public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException { if(allowedSystemIds.contains(systemId)) { // return a special input source return new InputSource(new ByteArrayInputStream(systemId.getBytes)); }		return new InputSource(new ByteArrayInputStream("".getBytes)); }

public void addAllowedSystemIds(List allowedSystemIds) { this.allowedSystemIds = allowedSystemIds; } }

When parsing XML we register our Entity-Resolver

DocumentBuilderFactory newFactory = DocumentBuilderFactory.newInstance; newFactory.setNamespaceAware(true);

DocumentBuilder builder = newFactory.newDocumentBuilder; builder.setEntityResolver(new SecureEntityResolver); /* !!!! */

Document doc = builder.parse(...);

Does anyone see problems with this way to prevent XXE Injection attacks?