To Prevent XXE attacks, I have disabled the features below as recommended for Java DocumentBuilderFactory - https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet.
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
Is there any vulnerability exists if I don't set external-general-entites and external-parameter-entities to false? As it will not allow to expand those external entities when we set disallow-doctype-decl to true and XIncludeAware to false.
Is it safe to remove those 2 lines from the above code -
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); or it's mandatory to keep them as well. If it is mandatory, what are the vulnerabilities if we don't set them to false?
Please provide the example for vulnerability specific to external-genereal/Parameter-entities even when we set disallow-doctype to true and XIncludeAware to false and ExpandEntityReferences to false.
Keeping them isn't mandatory. Setting disallow-doctype-decl will prevent XXE attacks because any inline DOCTYPE declarations in the untrusted XML will cause the parser to throw an exception.
However, I recommend keeping the code as-is, since external-general-entities and external-parameter-entities are true by default. If those two lines aren't there and a later maintainer (either naively or by mistake) removes the first line, the code becomes vulnerable again. Having the other lines there explicitly makes it more likely that on further modification, the maintainer will look up those features and, we hope, learn why they are there.