javaxmlxxe

How to disable XInclude when parsing XML?


I have been given to understand that XInclude is a potential vulnerability when receiving XML from untrusted sources. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

The XML which I expect from external sources is quite simple and there is never any requirement for including external XML.

I have tried the following to disable XInclude (as recommended in the Cheat Sheet):

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

and used this XML to test

<?xml version="1.0" encoding="utf-8"?>
<data xmlns:xi="http://www.w3.org/2001/XInclude">
    <xi:include href="file://d/temp/badxml.xml" parse="xml">
    </xi:include>
</data>

The external file contains invalid XML.

I had expected that the parser would fail if setXIncludeAware is set to true but this is not the case. The snippet is always parseable. I am using Java 8.

Is this a valid test? Is this the correct way to avoid XInclude attacks?


Solution

  • This is the correct way to avoid XInclude and entity attacks, but that is not a valid test for XInclude attacks, as you have discovered.

    According to this answer, "XInclude support relies on namespace support, which is turned off by default for backward compatibility reasons". So call dbf.setNamespaceAware(true);