Skip to Main Content

Java EE (Java Enterprise Edition) General Discussion

Billion laughs (entity expansion attack) prevention for Xerces

4162541Jan 2 2020 — edited Jan 2 2020

Using Java EE 1.8.0_201 (oracle jvm), I'm having a hard time finding any documentation on how to set a global entity expansion limit. I'm setting this on startup currently

System.setProperty("jdk.xml.entityExpansionLimit", String.valueOf(100));

This seems to have no effect, I can still perform a basic billion laughs attack and the thread just runs away. XMLSecurityManager has some logic for setting this but there is no way to provide one for an SAXParserFactory, XMLParser, XMLReader, EntityResolver, etc. I'm also reading that the limit applies to any entity, i.e. if I were to just have a large number of   characters, which would be really bad if true. Is there some hidden documentation about all this that I am missing?

Post Details
Added on Jan 2 2020
1 comment