Fail to build secure XML DocumentBuilderFactory

[Lohita9]

Issue details

This issue occurs when I decompile an APK using Jadx on my Android device.

Relevant log output or stacktrace

---StackTrace---
java.lang.ExceptionInInitializerError
	at jadx.core.xmlgen.XmlSecurity.verifyAppPackage(XmlSecurity.java:26)
	at jadx.core.xmlgen.ResourceStorage.setAppPackage(ResourceStorage.java:79)
	at jadx.core.xmlgen.ResTableBinaryParser.parsePackage(ResTableBinaryParser.java:161)
	at jadx.core.xmlgen.ResTableBinaryParser.decodeTableChunk(ResTableBinaryParser.java:118)
	at jadx.core.xmlgen.ResTableBinaryParser.decode(ResTableBinaryParser.java:91)
	at jadx.api.ResourcesLoader.decodeTable(ResourcesLoader.java:173)
	at jadx.core.dex.nodes.RootNode.lambda$loadResources$7(RootNode.java:210)
	at jadx.core.dex.nodes.RootNode$$ExternalSyntheticLambda16.decode(D8$$SyntheticClass:0)
	at jadx.api.ResourcesLoader.decodeStream(ResourcesLoader.java:113)
	at jadx.core.dex.nodes.RootNode.loadResources(RootNode.java:210)
	at jadx.api.JadxDecompiler.load(JadxDecompiler.java:126)
	at com.lohita.miss.MainActivity$1.onClick(MainActivity.java:41)
	at android.view.View.performClick(View.java:7507)
	at com.google.android.material.button.MaterialButton.performClick(MaterialButton.java:1218)
	at android.view.View.performClickInternal(View.java:7484)
	at android.view.View.access$3600(View.java:839)
	at android.view.View$PerformClick.run(View.java:28689)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:236)
	at android.app.ActivityThread.main(ActivityThread.java:8057)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:656)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:967)
Caused by: java.lang.RuntimeException: Fail to build secure XML DocumentBuilderFactory
	at jadx.core.xmlgen.XmlSecurity.buildDBF(XmlSecurity.java:51)
	at jadx.core.xmlgen.XmlSecurity.<clinit>(XmlSecurity.java:16)
	... 24 more
Caused by: javax.xml.parsers.ParserConfigurationException: http://apache.org/xml/features/disallow-doctype-decl
	at org.apache.harmony.xml.parsers.DocumentBuilderFactoryImpl.setFeature(DocumentBuilderFactoryImpl.java:101)
	at jadx.core.xmlgen.XmlSecurity.buildDBF(XmlSecurity.java:42)
	... 25 more

Provide sample and class/method full name

my-debug.zip

Jadx version

latest unstable version

[jpstotz]

As there is no Android version of Jadx you seem to use Jadx as library. However the version "latest unstable version" does not really match the stack trace you have posted.

Especially the stack trace element at jadx.core.xmlgen.XmlSecurity.verifyAppPackage(XmlSecurity.java:26) does not point to a function call in latest unstable version. The code before line 26 in that file has not been modified since April 2024, thus you seem to use an older version, may be version 1.5.0'of jadx-core library?

The exception is caused by Android XML parser. It seems like it doesn't support all the features of a regular J2SE XML parser. Which Android version do you use?

[Lohita9]

Android 11

[jpstotz]

@Lohita9 Please never post code like gradle config as screenshot, especially not as truncated screenshot.

Edit: There is a related question in Stackoverflow on DocumentBuilderFactory on Android: https://stackoverflow.com/questions/67605248/how-to-prevent-xxe-attacks-on-android-when-documentbuilderfactory-doesnt-allow

As the DocumentBuilderFactory configuration we use in Jadx is not supported on Android the only way would be to make this function overridable so that you could modify it on Android.

The getSecureDbf() function had been added in 2017, we should also check if it is still necessary as we have changed our JDK requirement since that time.

[Lohita9]

Ok, I am currently running jdk 21.

[jpstotz]

I just noticed that there is already a setting that allows to disable XML security checks which causes the problems on Android.

The problem is that jadx currently expects you to set JADX_DISABLE_XML_SECURITY environment variable. I am not sure if this is possible at all to set environment variables on Android for your own process/app.

I assume this configuration settings via ENV variable were introduced mainly for jad-core command-line users. For jadx library users using ENV variables doesn't make much sense. May be on a long term perspective we ,may need a configuration system that is a little bit more flexible. @skylot What do you think?

@Lohita9 I just checked the code in jadx-code library in https://s01.oss.sonatype.org/content/repositories/snapshots/ repo. It points to

jadx/jadx-core/src/main/java/jadx/core/xmlgen/XmlSecurity.java

Lines 25 to 27 in b26abdc

	public static String verifyAppPackage(String appPackage) {
	if (DISABLE_CHECKS) {
	return appPackage;

thus to the line if (DISABLE_CHECKS) {.

Therefore the version you use is not the latest unstable version - gradle doesn't seem to recognize that there is a newer snapshot available. I would recommend to delete the cached jadx library dependencies somewhere below ~/.gradle/caches or execute your Android app gradle build task with --refresh-dependencies option to force dependency update.

[Lohita9]

Not working.
Here is the crash log after refresh dependencies same error occurred

---StackTrace---
java.lang.ExceptionInInitializerError
	at jadx.core.xmlgen.XmlSecurity.verifyAppPackage(XmlSecurity.java:26)
	at jadx.core.xmlgen.ResourceStorage.setAppPackage(ResourceStorage.java:79)
	at jadx.core.xmlgen.ResTableBinaryParser.parsePackage(ResTableBinaryParser.java:161)
	at jadx.core.xmlgen.ResTableBinaryParser.decodeTableChunk(ResTableBinaryParser.java:118)
	at jadx.core.xmlgen.ResTableBinaryParser.decode(ResTableBinaryParser.java:91)
	at jadx.api.ResourcesLoader.decodeTable(ResourcesLoader.java:173)
	at jadx.core.dex.nodes.RootNode.lambda$loadResources$7(RootNode.java:210)
	at jadx.core.dex.nodes.RootNode$$ExternalSyntheticLambda16.decode(D8$$SyntheticClass:0)
	at jadx.api.ResourcesLoader.decodeStream(ResourcesLoader.java:113)
	at jadx.core.dex.nodes.RootNode.loadResources(RootNode.java:210)
	at jadx.api.JadxDecompiler.load(JadxDecompiler.java:126)
	at com.lohita.miss.MainActivity$1.onClick(MainActivity.java:41)
	at android.view.View.performClick(View.java:7507)
	at com.google.android.material.button.MaterialButton.performClick(MaterialButton.java:1218)
	at android.view.View.performClickInternal(View.java:7484)
	at android.view.View.access$3600(View.java:839)
	at android.view.View$PerformClick.run(View.java:28689)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loop(Looper.java:236)
	at android.app.ActivityThread.main(ActivityThread.java:8057)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:656)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:967)
Caused by: java.lang.RuntimeException: Fail to build secure XML DocumentBuilderFactory
	at jadx.core.xmlgen.XmlSecurity.buildDBF(XmlSecurity.java:51)
	at jadx.core.xmlgen.XmlSecurity.<clinit>(XmlSecurity.java:16)
	... 24 more
Caused by: javax.xml.parsers.ParserConfigurationException: http://apache.org/xml/features/disallow-doctype-decl
	at org.apache.harmony.xml.parsers.DocumentBuilderFactoryImpl.setFeature(DocumentBuilderFactoryImpl.java:101)
	at jadx.core.xmlgen.XmlSecurity.buildDBF(XmlSecurity.java:42)
	... 25 more

[skylot]

may need a configuration system that is a little bit more flexible

@jpstotz looks like the only way is to allow completely replace implementation.
This can be done by extracting interface from xml security (for parsing xml and validate package) and set default implementation to new property in JadxArgs and replacing all usage by it.
Not sure how to correctly implement this on Android through. But providing implementation without any security checks should be fine for now.

And sure, any jadx env variable shouldn't be needed in 'jadx as a library' usage. I recently done similar thing for 'various files' properties in b26abdc, such changes also useful for jadx plugins. And there are a lot of things needs to be extracted in similar way 😢

[skylot]

I commit fix allowing disable or completely replace xml security checks.

Set<JadxSecurityFlag> flags = JadxSecurityFlag.all();
jadxArgs.setSecurity(new JadxSecurity(flags));

Here flags set can be updated and not needed checks disabled/removed.

@Lohita9 also I created an example Android app with jadx lib usage, check https://github.com/jadx-decompiler/jadx-lib-android-example repo. Main jadx usage code can be found here. Hope this will help 🙂