Module io.github.pixee.security
Package io.github.pixee.security

Class DocumentBuilderFactorySecurity

  • public final class DocumentBuilderFactorySecurity
extends java.lang.Object
    This type exposes helper methods that will help defend against XXE attacks in DocumentBuilderFactory.

    For more on XXE:

    https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static javax.xml.parsers.DocumentBuilderFactory hardenDocumentBuilderFactory​(javax.xml.parsers.DocumentBuilderFactory factory, boolean expandEntityReferences, boolean allowXinclude)
      Harden the DocumentBuilderFactory against XML-based attacks, and promote directly to the API forefront the decision to allow dangerous XML features.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • hardenDocumentBuilderFactory

        public static javax.xml.parsers.DocumentBuilderFactory hardenDocumentBuilderFactory​(javax.xml.parsers.DocumentBuilderFactory factory,
                                                                                    boolean expandEntityReferences,
                                                                                    boolean allowXinclude)
        Harden the DocumentBuilderFactory against XML-based attacks, and promote directly to the API forefront the decision to allow dangerous XML features.
        Parameters:
        factory - the factory requiring hardening
        expandEntityReferences - a parameter which will be passed to DocumentBuilderFactory.setExpandEntityReferences(boolean)
        allowXinclude - parameter which will be passed to DocumentBuilderFactory.setXIncludeAware(boolean)
        Returns:
        a factory that is hardened against XML attacks (e.g., XXE)