I am getting an XML External Entity Reference (XXE) vulnerability from the code scan audit(Veracode) while unmarshaling an Element.
public static <T> T unMarshal(org.w3c.dom.Element content, Class<T> clazz) throws JAXBException {
JAXBContext jaxbContext = JAXBContext.newInstance(clazz);
Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
return (T) unmarshaller.unmarshal(content, clazz).getValue();
}
How can I fix Improper Restriction of XML External Entity Reference ('XXE') in the above code ?
According to your example you can try this code:
public static <T> T unMarshal(org.w3c.dom.Element content, Class<T> clazz) throws JAXBException, XMLStreamException {
JAXBContext jaxbContext = JAXBContext.newInstance(clazz);
Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
XMLInputFactory xmlif = XMLInputFactory.newFactory();
xmlif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xmlif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
XMLStreamReader xsr = xmlif.createXMLStreamReader(content);
return (T) unmarshaller.unmarshal(xsr, clazz).getValue();
}
I think that above solution can resolves an issue related to (CWE 611) XML External Entity Reference