2023-05-03 11:06:20 +02:00
== Why is this an issue?
2022-01-18 08:36:38 +01:00
include::../description.adoc[]
2022-01-27 12:10:43 +01:00
2023-05-03 11:06:20 +02:00
=== Noncompliant code example
2022-01-18 08:36:38 +01:00
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
2022-02-04 17:28:24 +01:00
[source,java]
2022-01-18 08:36:38 +01:00
----
factory.setXIncludeAware(true); // Noncompliant
// or
factory.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
----
For https://dom4j.github.io/[Dom4j] library:
2022-02-04 17:28:24 +01:00
[source,java]
2022-01-18 08:36:38 +01:00
----
SAXReader xmlReader = new SAXReader();
xmlReader.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
----
For http://www.jdom.org/[Jdom2] library:
2022-02-04 17:28:24 +01:00
[source,java]
2022-01-18 08:36:38 +01:00
----
SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
----
2023-05-03 11:06:20 +02:00
=== Compliant solution
2022-01-18 08:36:38 +01:00
Xinclude is disabled by default and can be explicitely disabled like below.
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
2022-02-04 17:28:24 +01:00
[source,java]
2022-01-18 08:36:38 +01:00
----
factory.setXIncludeAware(false);
// or
factory.setFeature("http://apache.org/xml/features/xinclude", false);
----
For https://dom4j.github.io/[Dom4j] library:
2022-02-04 17:28:24 +01:00
[source,java]
2022-01-18 08:36:38 +01:00
----
SAXReader xmlReader = new SAXReader();
xmlReader.setFeature("http://apache.org/xml/features/xinclude", false);
----
For http://www.jdom.org/[Jdom2] library:
2022-02-04 17:28:24 +01:00
[source,java]
2022-01-18 08:36:38 +01:00
----
SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/xinclude", false);
----
2023-05-03 11:06:20 +02:00
=== Exceptions
2022-01-21 16:05:43 +01:00
This rule does not raise issues when Xinclude is enabled with a custom ``++EntityResolver++``:
For DocumentBuilderFactory:
2023-05-25 14:18:12 +02:00
[source,java]
2022-01-21 16:05:43 +01:00
----
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setXIncludeAware(true);
// ...
DocumentBuilder builder = factory.newDocumentBuilder();
builder.setEntityResolver((publicId, systemId) -> new MySafeEntityResolver(publicId, systemId));
----
For SAXBuilder:
2023-05-25 14:18:12 +02:00
[source,java]
2022-01-21 16:05:43 +01:00
----
SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/xinclude", true);
builder.setEntityResolver((publicId, systemId) -> new MySafeEntityResolver(publicId, systemId));
----
For SAXReader:
2023-05-25 14:18:12 +02:00
[source,java]
2022-01-21 16:05:43 +01:00
----
SAXReader xmlReader = new SAXReader();
xmlReader.setFeature("http://apache.org/xml/features/xinclude", true);
xmlReader.setEntityResolver((publicId, systemId) -> new MySafeEntityResolver(publicId, systemId));
----
For XMLInputFactory:
2023-05-25 14:18:12 +02:00
[source,java]
2022-01-21 16:05:43 +01:00
----
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty("http://apache.org/xml/features/xinclude", true);
factory.setXMLResolver(new MySafeEntityResolver());
----
2023-05-03 11:06:20 +02:00
== Resources
2022-01-18 08:36:38 +01:00
* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
2022-07-08 13:58:56 +02:00
* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
2022-01-18 08:36:38 +01:00
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
* https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition
2022-01-18 08:36:38 +01:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
2023-05-25 14:18:12 +02:00
=== Message
Disable the inclusion of files in XML processing.
2022-01-18 08:36:38 +01:00
'''
2022-01-25 13:38:33 +01:00
== Comments And Links
(visible only on this page)
2023-05-25 14:18:12 +02:00
=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:
Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.
2022-01-18 08:36:38 +01:00
endif::env-github,rspecator-view[]
