Хотел узнать, как мы можем исправить уязвимость Xml EXternal Entity (XXE) с помощью Xstream API.
Как мы можем сделать
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
с DocumentBuilderFactory. Подробнее — https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet
Мой код что-то вроде -
public static Class<?>[] myAnnotatedClasses = { Test1.class, Test2.class };
public static Object parseStr(String str) throws XStreamException
{
XStream xstream = new XStream(new StaxDriver());
xstream.processAnnotations(myAnnotatedClasses);
Object obj =xstream.fromXML(str);
return obj;
}