How can I prevent XML Entity expansion attacks using Apigee

Is there a suggestion or recommended approach to detect and potentially reject an XML payload that contains something like this:

<!DOCTYPE foo [
<!ENTITY a “1234567890” >
<!ENTITY b “&a;&a;&a;&a;&a;&a;&a;&a;” >
<!ENTITY c “&b;&b;&b;&b;&b;&b;&b;&b;” >
<!ENTITY d “&c;&c;&c;&c;&c;&c;&c;&c;” >
<!ENTITY e “&d;&d;&d;&d;&d;&d;&d;&d;” >
<!ENTITY f “&e;&e;&e;&e;&e;&e;&e;&e;” >
<!ENTITY g “&f;&f;&f;&f;&f;&f;&f;&f;” >
<!ENTITY h “&g;&g;&g;&g;&g;&g;&g;&g;” >
<!ENTITY i “&h;&h;&h;&h;&h;&h;&h;&h;” >
<!ENTITY j “&i;&i;&i;&i;&i;&i;&i;&i;” >
<!ENTITY k “&j;&j;&j;&j;&j;&j;&j;&j;” >
<!ENTITY l “&k;&k;&k;&k;&k;&k;&k;&k;” >
<!ENTITY m “&l;&l;&l;&l;&l;&l;&l;&l;” >
]>
<foo>&m;</foo>

So that the nested depth of the entity expansion over some limit can cause the request to be rejected. Unless I am mistaken, it does not look like XMLThreatProtection policy can handle this?

Hi @hmiranda@apigee.com,

Java SE 5 has safeguarded for this type of attack. It limits the number of entity expansions to 64,000. This limit can be changed using the following System property:

-DentityExpansionLimit=100000

For more detailed explanation on the topic and how to check if your server is secured against such attack please check the blog Preventing XML Entity Expansion Attack in Java.

How did you handle such situation within apigee?