Resolving XXE for Oracle DomParser

732 Views Asked by User27854 At 12 April 2025 at 18:31

Here is the code snippet for a DomParser which I am using, The DomParser which I am using is of Oracle.

import oracle.xml.parser.v2.DOMParser;

DOMParser domParser = new DOMParser();      
domParser.parse(new StringReader(xmlPayload));    
Document doc = domParser.getDocument();

doc.getDocumentElement().normalize();
System.out.println("Root element :" + doc.getDocumentElement().getNodeName());
NodeList nList = doc.getElementsByTagName("student");

Recently our Security team has raised a concern that the above DOM parser is vulnerable to security attack and has come up with a recommendation on setting two attributes

domParser.setAttribute("RESOLVE_ENTITY_DEFAULT", true);
domParser.setAttribute("DEFAULT_ENTITY_EXPANSION_DEPTH", 150);

But on setting these attributes, I am getting the below error,

Exception in thread "main" java.lang.IllegalArgumentException
at oracle.xml.parser.v2.XMLParser.setAttribute(XMLParser.java:870)
at oracle.xml.parser.v2.DOMParser.setAttribute(DOMParser.java:538)
at DomParserExample.main(DomParserExample.java:20)

kindly let me know how can I prevent XML Entity Expansion injection and XXE attacks. I have tried looking into OWASP XEE Cheat Sheet and browsed through various questions and answers for XXE attack, but could not find a solution for this.

Original Q&A

There are 3 best solutions below

aswath80 On 03 December 2018 at 19:54 BEST ANSWER

try this

domParser.setAttribute(XMLParser.RESOLVE_ENTITY_DEFAULT, true);
domParser.setAttribute(XMLParser.DEFAULT_ENTITY_EXPANSION_DEPTH, 150);

Jim Manico On 29 July 2020 at 01:43

The proper way to handle XXE in Oracle DOMParser is documented here.

https://docs.oracle.com/en/database/oracle/oracle-database/18/adxdk/security-considerations-oracle-xml-developers-kit.html#GUID-45303542-41DE-4455-93B3-854A826EF8BB

    // Extend oracle.xml.parser.v2.XMLParser
    DOMParser domParser = new DOMParser(); 

    // Do not expand entity references
    domParser.setAttribute(DOMParser.EXPAND_ENTITYREF, false);

    // dtdObj is an instance of oracle.xml.parser.v2.DTD
    domParser.setAttribute(DOMParser.DTD_OBJECT, dtdObj);

    // Do not allow more than 11 levels of entity expansion
    domParser.setAttribute(DOMParser.ENTITY_EXPANSION_DEPTH, 12);

user1749291 On 28 November 2019 at 17:36

what will be the maven dependencies version to use XMLParser and DOMParser to get resolve the fortify fix for DOM Parser.

Resolving XXE for Oracle DomParser

There are 3 best solutions below

Related Questions in JAVA

Related Questions in XML

Related Questions in SECURITY

Related Questions in XML-PARSING

Related Questions in XXE

Trending Questions

Popular # Hahtags

Popular Questions