Java SAX parser, How do I prevent character references entirely? (DoS attack)

Question

The XML files of incoming request needs to be validated. One requierement is that character references are prevented entirely because of possible DoS attacks. If I configure the SAXParserFactory like below:

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

then the parer still resolves 100.000 entity expansions.

The parser has encountered more than "100.000" entity expansions in this document; this is the limit imposed by the application.

The prevention of external references was done via an EntityResolver which works fine. But how do I prevent the character references?

Answer 1

Character references cannot cause a denial of service attack, so there is no reason to prevent them.

Answer 2

An instance of org.apache.xerces.util.SecurityManager can limit the amount of entity expansions. Here's the an example.

SAXParser saxParser = spf.newSAXParser();
org.apache.xerces.util.SecurityManager mgr = new org.apache.xerces.util.SecurityManager();
mgr.setEntityExpansionLimit(-1);
saxParser.setProperty("http://apache.org/xml/properties/security-manager", mgr);

With this, the parsing process terminates if the XML file contains at least one entity reference. Now there's no more need for an EntityResolver.

The jar file which contains the SecurityManager can be downloaded here.