Minor fix to BenchmarkScore to make XXE defense not break parsing of some XML docs.

davewichers · davewichers · commit 55a3b6c71ea3 · 2015-10-25T15:47:45.000-04:00
diff --git a/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java b/src/main/java/org/owasp/benchmark/score/BenchmarkScore.java
@@ -1268,8 +1268,11 @@ private static void updateMenuTemplates( String toolmenu, String vulnmenu ) {
 	
 	private static Document getXMLDocument( File f ) throws Exception {
         DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
-		// Prevent XXE
-		docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+		// Prevent XXE = Note, disabling this entirely breaks the parsing of some XML files, like a Burp results
+        // file, so have to use the alternate defense.
+		//dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
         DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
         InputSource is = new InputSource(new FileInputStream(f));
         Document doc = docBuilder.parse(is);
