4

我一直在尝试解决 Veracode“XML 外部实体引用的不当限制”缺陷。我在网上查找了这个问题,并找到了一些关于如何解决它的建议,即:

令我沮丧的是,Veracode 仍然报告了这个缺陷,坦率地说,我不知道如何继续。我安装了 Java 8 并使用了 JRE 1.8。

这是我的代码片段(根据 VGR 的建议编辑):

InputSource inputSource = new InputSource(reader);
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();

dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

dbFactory.setAttribute(XMLInputFactory.SUPPORT_DTD, false);  
dbFactory.setAttribute(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);

dbFactory.setXIncludeAware(false);
dbFactory.setExpandEntityReferences(false);

DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
org.w3c.dom.Document doc = dBuilder.parse(inputSource);
doc.getDocumentElement().normalize();

catch (IOException e) {
    e.printStackTrace();
} catch (ParserConfigurationException e) {
    e.printStackTrace();
} catch (SAXException e) {
    e.printStackTrace();
}

如何解决这个问题?

4

0 回答 0