Forum Stats

  • 3,854,149 Users
  • 2,264,327 Discussions
  • 7,905,577 Comments

Discussions

Billion laughs (entity expansion attack) prevention for Xerces

4162541
4162541 Member Posts: 2
edited Jan 2, 2020 4:31PM in Java Technology & XML

Using Java EE 1.8.0_201 (oracle jvm), I'm having a hard time finding any documentation on how to set a global entity expansion limit. I'm setting this on startup currently

System.setProperty("jdk.xml.entityExpansionLimit", String.valueOf(100));

This seems to have no effect, I can still perform a basic billion laughs attack and the thread just runs away. XMLSecurityManager has some logic for setting this but there is no way to provide one for an SAXParserFactory, XMLParser, XMLReader, EntityResolver, etc. I'm also reading that the limit applies to any entity, i.e. if I were to just have a large number of   characters, which would be really bad if true. Is there some hidden documentation about all this that I am missing?

Answers

  • 4162541
    4162541 Member Posts: 2
    edited Jan 2, 2020 4:31PM

    Furthermore if I try to use the XMLSecurityManager class I get a compilation error

    error: package com.sun.org.apache.xerces.internal.utils does not exist

    Why do any of these classes' configuration options even exist if they aren't meant to be used?