Skip to Main Content

Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Billion laughs (entity expansion attack) prevention for Xerces

4162541Jan 2 2020 — edited Jan 2 2020

Using Java EE 1.8.0_201 (oracle jvm), I'm having a hard time finding any documentation on how to set a global entity expansion limit. I'm setting this on startup currently

System.setProperty("jdk.xml.entityExpansionLimit", String.valueOf(100));

This seems to have no effect, I can still perform a basic billion laughs attack and the thread just runs away. XMLSecurityManager has some logic for setting this but there is no way to provide one for an SAXParserFactory, XMLParser, XMLReader, EntityResolver, etc. I'm also reading that the limit applies to any entity, i.e. if I were to just have a large number of   characters, which would be really bad if true. Is there some hidden documentation about all this that I am missing?

Comments

4162541

Furthermore if I try to use the XMLSecurityManager class I get a compilation error

error: package com.sun.org.apache.xerces.internal.utils does not exist

Why do any of these classes' configuration options even exist if they aren't meant to be used?

1 - 1

Post Details

Added on Jan 2 2020
1 comment
504 views