Regarding the 'XML External Entity Injection' reported by Fortify on Java code

Hi,

 

I had HP Fortify report the 'XML External Entity Injection' on my Java code and I made the below fixes to address this.

 

  1. DocumentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
  2. DocumentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Note: DocumentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING , true); is already set to prevent 'XML Entity Expansion'.

 

However, even after these changes the Fortify still reports the 'XML External Entity Injection' error.

 

Wanted to understand if the Fortify rules around the XEE detection is looking for some specific settings to be set on parser apart from the above.

 

Regards,

Harsha.

Tags: