In the following method I defined a DocumentBuilderFactory with the XMLConstant FEATURE_SECURE_PROCESSING as false.
private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant
return factory;
}
However, when I test the value of this property, it is ‘true’ after the DocumentBuilderFactory is returned.
I read the source documentation, and it states:
It is possible for an {@code TransformerFactory} to expose a feature value but be unable to change its state.
I am assuming this property is “unchangeable” by simply setting it to false. I am curious, is it possible to use Reflection to get around this? Are there any other more “stable” ways of setting this property to false?
Advertisement
Answer
FEATURE_SECURE_PROCESSING cannot be turned off, unfortunately. You can effectively override this security measure by adjusting the limits associated with FEATURE_SECURE_PROCESSING.
Example via System Properties:
final String MAX_XPATH_GROUP_LIMIT = "jdk.xml.xpathExprGrpLimit";
final String MAX_XPATH_OPERATOR_LIMIT = "jdk.xml.xpathExprOpLimit";
final String MAX_XPATH_TOTAL = "jdk.xml.xpathTotalOpLimit";
System.setProperty(MAX_XPATH_GROUP_LIMIT, "-1");
System.setProperty(MAX_XPATH_OPERATOR_LIMIT, "-1");
System.setProperty(MAX_XPATH_TOTAL, "-1");
Values <= 0 are equivalent to ‘no limit’.
Source: https://www.oracle.com/java/technologies/javase/11-0-15-relnotes.html