When I run HP fortify the following code is given as a XML External Entity injection.Problem line is specified as Error Line.Any Help is appreciated.
private Document parseXmlString(String stringname, boolean validating) {
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setValidating(validating);
ByteArrayInputStream is = new ByteArrayInputStream(stringname.getBytes());
Document doc = factory.newDocumentBuilder().parse(is);//Error Line
return doc;
} catch (SAXException e) {
// A parsing error occurred; the xml input is not valid
} catch (ParserConfigurationException e) {
} catch (IOException e) {
}
return null;
}
I hope this is what you are looking for:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Related
In my app I need to read the content of an element from an xml file.
So I write in my LocalRead.java class the method "getValueOfElement" in this way:
[...]
public String getValueOfElement (String filename, String what){
try{
File xmlDocument = new File ("/Unknow_Path/"+filename);
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(xmlDocument);
String lookingFor = document.getElementsByTagName(what).item(0).getTextContent();
return lookingFor;
} catch (FileNotFoundException e) {
System.err.println("----------------- File not found -----------------");
e.printStackTrace();
return "";
} catch (ParserConfigurationException e) {
System.err.println("----------------- Error creating DocumentBuilder -----------------");
e.printStackTrace();
return "";
} catch (SAXException e) {
System.err.println("----------------- Error creating the document(Sax) -----------------");
e.printStackTrace();
return "";
} catch (IOException e) {
System.err.println("----------------- Error creating the document(IO) -----------------");
e.printStackTrace();
return "";
}
}
[...]
As you can see, when I create the File "xmlDocument" I don't know the path where my xml file is. I used this class to create the file.
import android.content.Context;
import java.io.FileOutputStream;
import java.io.IOException;
public class FileBuilder {
private String xmlContent;
private String filename;
private Context context;
private FileOutputStream outputStream;
public FileBuilder(Context context){
this.context = context;
}
public boolean createUserFile(String username, String password){
this.xmlContent = "<?xml version='1.0' encoding='UTF-8'?>\n" +
"<giocatore>\n" +
"<username>"+username+"</username>\n" +
"<password>"+password+"</password>\n" +
"</giocatore>";
this.filename = "[D&D]User.xml";
try{
outputStream = context.openFileOutput(filename, context.MODE_PRIVATE);
outputStream.write(xmlContent.getBytes());
outputStream.close();
System.out.println("----------------- File created -----------------");
return true;
} catch (IOException e) {
e.printStackTrace();
return false;
}
}
}
How can I find out what the path is?
Like CommonsWare says in the comments, Document can parse an InputStream. So you can load the file as a Document using openFileInput(). Here the complete code:
[...]
public String getValueOfElement (String filename, String what){
try{
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(context.openFileInput(filename));
String lookingFor = document.getElementsByTagName(what).item(0).getTextContent();
return lookingFor;
} catch (FileNotFoundException e) {
System.err.println("----------------- File not found -----------------");
e.printStackTrace();
return "";
} catch (ParserConfigurationException e) {
System.err.println("----------------- Error creating DocumentBuilder -----------------");
e.printStackTrace();
return "";
} catch (SAXException e) {
System.err.println("----------------- Error creating the document(Sax) -----------------");
e.printStackTrace();
return "";
} catch (IOException e) {
System.err.println("----------------- Error creating the document(IO) -----------------");
e.printStackTrace();
return "";
}
}
[...]
Remember that openFileInput() need a Context.
Thanks to #CommonsWare for the answer
I am trying to 'GET' a rss feed.
public RssFeed(String url) {
_url = url;
String res = this.api.get(url);
ByteArrayInputStream bis = new ByteArrayInputStream(res.getBytes());
try {
bis.close();
} catch (IOException e) {
e.printStackTrace();
}
XMLDecoder decoder = new XMLDecoder(bis);
try {
Object xml = decoder.readObject();
_response = xml.toString();
} catch(Exception e) {
e.printStackTrace();
} finally {
decoder.close();
}
}
When I check what's inside of 'res'. It appears to get this entire XML.
But then, I am trying to decode it and I get:
java.lang.IllegalArgumentException: Unsupported element: rss
Can someone help me with that? I am new to Java.
Thanks!
XMLDecoder is meant to be used on elements created by XMLEncoder. Since you're scraping this XML from the web, the elements in this XML may not be valid according to these classes. Use a more generic XML parser, such as DocumentBuilder::parse() to handle this.
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
try {
builder.parse(url);
} catch (IOException e) {
e.printStackTrace();
} catch (SAXParseException e) {
e.printStackTrace();
} catch (IllegalArgumentException e) {
e.printStackTrace();
}
I'm trying to parse SVG file to get paths using Xpath within android application. Native java parse the path in following way.
try {
Document document = builder.parse(
new FileInputStream("c:\\employees.xml"));
} catch (SAXException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
I try to do using FileDescriptor as follows.
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = null;
try {
builder = factory.newDocumentBuilder();
} catch (ParserConfigurationException e) {
e.printStackTrace();
}
AssetManager assetManager = getBaseContext().getAssets();
AssetFileDescriptor assetFileDescriptor = null;
try {
assetFileDescriptor = assetManager.openFd("android.svg");
} catch (IOException e) {
e.printStackTrace();
}
FileDescriptor fileDescriptor = assetFileDescriptor.getFileDescriptor();
FileInputStream stream = new FileInputStream(fileDescriptor);
try {
Document document = builder.parse(stream);
} catch (SAXException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
However my app stopped working. What's wrong in my code?
You do not need FileDescriptor. Try as follows.
InputStream input = assetManager.open("android.svg"); //From your asset folder
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = null;
try {
builder = factory.newDocumentBuilder();
} catch (ParserConfigurationException e) {
e.printStackTrace();
}
And parse your input to builder.
Document document = builder.parse(input);
Here is my code snippet:
public EpsXmlParser(String xmlAnswer) {
DOMParser parser = new DOMParser();
try {
InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xmlAnswer));
parser.parse(is);
} catch (SAXException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
Document doc = parser.getDocument();
parseXmlDoc(doc.getDocumentElement());
}
In this code block String xmlAnswer is actually an UTF-8 encoding xml taken from another machine using web service client program.
I realized when debugging that the problem here is after parser.getDocument() method implemented Document doc is being null.
I can not fix the problem. Please help me what should I do?
I can not get any exception. Code runs pretty well but Document doc will be like this (look at the snapshot below). I can not understand what is the problem is. Any help will be appreciated.
I used an XML like this. Is this XML format standard? If it is standard how can not I get any exception while using the predefined xml parsing codes.
<?xml version="1.0" encoding="UTF-8"?>
<extra_result><status>00</status><data><transaction_id>3c704f15-7c09-4bba-9046- ffbdb8c97b51</transaction_id><card_status>11</card_status><status_msg>Kart numarası yanlış. </status_msg><card_no>48422</card_no><name_surname></name_surname><gsm></gsm><bonus></bonus></data></extra_result>
I have managed to run the code with no problem by providing an example XML string document.
It suggests the problem is most likely with the XML string itself given in the xmlAnswer argument.
In order to see where exactly is your problem try to change your code and run the following:
public EpsXmlParser(String xmlAnswer) {
DOMParser parser = new DOMParser();
try {
InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xmlAnswer));
parser.parse(is);
} catch (Exception e) {
throw new RuntimeException("Error on parsing document", e);
}
Document doc = parser.getDocument();
parseXmlDoc(doc.getDocumentElement());
}
I expect the exception will be thrown with actual reason of parsing error.
I am trying to get the DOM element from a UTF-8 Encoded XML parsed file containing arabic characters.
The below method take the parsed xml string and is supposed to return the Document.
here is a link to the xml:
http://212.12.165.44:7201/UniNews121.xml
public Document getDomElement(String xml){
Document doc = null;
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
try {
DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource();
StringReader xmlstring=new StringReader(xml);
is.setCharacterStream(xmlstring);
is.setEncoding("UTF-8");
//APP CRASHES HERE
doc = db.parse(is);
} catch (ParserConfigurationException e) {
Log.e("Error: ", e.getMessage());
return null;
} catch (SAXException e) {
Log.e("Error: ", e.getMessage());
return null;
} catch (IOException e) {
Log.e("Error: ", e.getMessage());
return null;
}
// return DOM
return doc;
}
Error:
09-18 13:36:20.031: E/Error:(3846): Unexpected token (position:TEXT xml version="1.0...#2:1 in java.io.InputStreamReader#4144ac08)
I would appreciate your help but please be specific in your answers
It happened a lot of times to me, you should double check the encoding of the file you are opening. I suggest you to test this with a local copy of the file where you set the encoding by hand.