jdk.xml.entityExpansionLimit Java System Property accepts an integer value that limits how many times an xml entity may be expanded.jdk.xml.entityExpansionLimitThe java system property jdk.xml.entityExpansionLimit sets an upper limit on the number of attributes an XML element may have.
The reasoning for creating the jdk.xml.entityExpansionLimit setting was to avoid XML parser denial of service attacks such as the Billion Laughs Attack:
<!DOCTYPE root [ <!ELEMENT root ANY> <!ENTITY LOL "LOL"> <!ENTITY LOL1 "&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;&LOL;"> <!ENTITY LOL2 "&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;&LOL1;"> <!ENTITY LOL3 "&LOL2;&LOL2;&LOL2;&LOL2;&LOL2;&LOL2;&LOL2;&LOL2;&LOL2;&LOL2;"> <!ENTITY LOL4 "&LOL3;&LOL3;&LOL3;&LOL3;&LOL3;&LOL3;&LOL3;&LOL3;&LOL3;&LOL3;"> <!ENTITY LOL5 "&LOL4;&LOL4;&LOL4;&LOL4;&LOL4;&LOL4;&LOL4;&LOL4;&LOL4;&LOL4;"> <!ENTITY LOL6 "&LOL5;&LOL5;&LOL5;&LOL5;&LOL5;&LOL5;&LOL5;&LOL5;&LOL5;&LOL5;"> <!ENTITY LOL7 "&LOL6;&LOL6;&LOL6;&LOL6;&LOL6;&LOL6;&LOL6;&LOL6;&LOL6;&LOL6;"> <!ENTITY LOL8 "&LOL7;&LOL7;&LOL7;&LOL7;&LOL7;&LOL7;&LOL7;&LOL7;&LOL7;&LOL7;"> <!ENTITY LOL9 "&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;&LOL8;"> ]> <root>&LOL9;</root>
In this case we are creating a recursive expansion of the XML entities using a very small XML document.
Security Tip
Be careful when setting
jdk.xml.entityExpansionLimitthat you do not to set it too high. If you setjdk.xml.entityExpansionLimittoo high, it may result in resource exhaustion, or a denial of service.
Here's the error you might see triggered due to reaching the XML entity expansion limit:
The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK.
In some cases you may also see this is the limit imposed by the application.
-DentityExpansionLimitOlder versions of Java (Java 1.5 for example) may only work with the legacy version of the property, which omits the jdk.xml prefix, and just uses entityExpansionLimit. This older property is still supported for backwards compatibility reasons, you may wish to update it to the full property name for clarity.
Here are some other XML java system properties:
java.xml.config.filejavax.xml.accessExternalDTDjdk.xml.elementAttributeLimitjdk.xml.enableExtensionFunctionsjdk.xml.maxXMLNameLimitjaxp.propertiesThe jdk.xml.entityExpansionLimit can be specified in the jaxp.properties file, typically located in jvm's conf/jaxp.properties of your JVM. You can
also create your own jaxp.properties file which can be set via the java.xml.config.file java system property.
Java has supported the jdk.xml.entityExpansionLimit system property since version 1.5 as entityExpansionLimit, supported later as jdk.xml.entityExpansionLimit.
jdk.xml.entityExpansionLimit on StartupYou can set the jdk.xml.entityExpansionLimit java system property during startup of the java runtime using the -D command line argument:
java -Djdk.xml.entityExpansionLimit=100 MyAppMain
You may also be able to specify jdk.xml.entityExpansionLimit via the JAVA_TOOL_OPTIONS environment variable:
JAVA_TOOL_OPTIONS=-Djdk.xml.entityExpansionLimit=100
jdk.xml.entityExpansionLimit at RuntimeYou can set jdk.xml.entityExpansionLimit at runtime with the following Java code:
System.setProperty("jdk.xml.entityExpansionLimit", "100");
WARNING: Depending on the property and JVM version using
setPropertymay or may not work if the JDK Java class that uses this variable has already been loaded. The value of the jdk.xml.entityExpansionLimit system property may be cached within an internal private static variable of the implementing class.
To read the value of jdk.xml.entityExpansionLimit at runtime, you can use this Java code:
String propertyValue = System.getProperty("jdk.xml.entityExpansionLimit");
if (propertyValue != null) {
System.out.println("jdk.xml.entityExpansionLimit = " + propertyValue);
} else {
System.out.println("jdk.xml.entityExpansionLimit was null");
}