How to disable DTD fetching using JAXB2.0
I\'m trying to use JAXB to unmashall some XML which I used xjc to create in the first place. I don\'t want to do any validation on the unmarshalling, but even though I have
-
Building on the answers from @blaise-doughan and @aerobiotic, here is a solution that worked for me:
import java.io.FileReader; import javax.xml.XMLConstants; import javax.xml.bind.JAXBContext; import javax.xml.bind.Unmarshaller; import javax.xml.parsers.SAXParserFactory; import javax.xml.transform.sax.SAXSource; import org.xml.sax.InputSource; import org.xml.sax.XMLReader; public class Demo2 { public static void main(String[] args) throws Exception { JAXBContext jc = JAXBContext.newInstance(MyBean.class); SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); spf.setFeature("http://xml.org/sax/features/validation", false); XMLReader xmlReader = spf.newSAXParser().getXMLReader(); InputSource inputSource = new InputSource( new FileReader("myfile.xml")); SAXSource source = new SAXSource(xmlReader, inputSource); Unmarshaller unmarshaller = jc.createUnmarshaller(); MyBean foo = (MyBean) unmarshaller.unmarshal(source); } }讨论(0) -
The above suggestions Nothing worked out for me... Im suggesting this code which worked for me☺️ To remove Dtd from xml ...Used regex String str = event.getData(); str= str.replaceAll("<!DOCTYPE[^<>](?:<![^<>]>[^<>])>","");
讨论(0) -
In answer to the question "How to disable DTD fetching using JAXB2.0".
@sameer-puri links to https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#SAXTransformerFactory which answers the question as follows:
JAXB Unmarshaller
Since a javax.xml.bind.Unmarshaller parses XML and does not support any flags for disabling XXE, it's imperative to parse the untrusted XML through a configurable secure parser first, generate a source object as a result, and pass the source object to the Unmarshaller. For example:
//Disable XXE SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); //Do unmarshall operation Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml))); JAXBContext jc = JAXBContext.newInstance(Object.class); Unmarshaller um = jc.createUnmarshaller(); um.unmarshal(xmlSource);讨论(0) -
Below is sample code that demonstrates how to get a JAXB (JSR-222) implementation to use your SAX parser:
import java.io.FileReader; import javax.xml.XMLConstants; import javax.xml.bind.JAXBContext; import javax.xml.bind.Unmarshaller; import javax.xml.parsers.SAXParserFactory; import javax.xml.transform.sax.SAXSource; import org.xml.sax.InputSource; import org.xml.sax.XMLReader; public class Demo { public static void main(String[] args) throws Exception { JAXBContext jc = JAXBContext.newInstance(Foo.class); SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); XMLReader xmlReader = spf.newSAXParser().getXMLReader(); InputSource inputSource = new InputSource(new FileReader("input.xml")); SAXSource source = new SAXSource(xmlReader, inputSource); Unmarshaller unmarshaller = jc.createUnmarshaller(); Foo foo = (Foo) unmarshaller.unmarshal(source); System.out.println(foo.getValue()); } }讨论(0) -
You can create the Unmarshaller directly from a javax.xml.transform.sax.SAXSource.
See the example on this page: http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/api/javax/xml/bind/Unmarshaller.html
Than you "only" need to provide your own URIResolver to that SAXSource
讨论(0)
加载中...
- 热议问题