I'm running Java 8 and SonarQube tells me that using TransformerFactory.new Instance() is vulnerable to external XML and XSLT attacks.
I'm trying to insert the ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET attributes into my TransformerFactory to avoid XML and XSLT External Entity attacks. Searching forums, I see that the solution is to add the following attributes to the TransformerFactory:
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
But that doesn't work for me. It tells me that the attributes do not exist. How can i fix this?
I finally found a solution and now it does detect the attributes:
TransformerFactory transformerFactory = new TransformerFactoryImpl();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
I don't know if it's the right thing to do but it works and keeps the sonar from complaining.