rspec/rules/S2755/java/how-to-fix-it/java-se.adoc

== How to fix it in Java SE

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,java,diff-id=1,diff-type=noncompliant]
----
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;

public void decode() {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant
}
----

[source,java,diff-id=2,diff-type=noncompliant]
----
import javax.xml.stream.XMLInputFactory;

public void decode() {
    XMLInputFactory factory = XMLInputFactory.newInstance(); // Noncompliant
}
----

==== Compliant solution

For `DocumentBuilderFactory`, `SAXParserFactory`, `TransformerFactory`, and
`SchemaFactory` set `XMLConstants.FEATURE_SECURE_PROCESSING` to `true`.

[source,java,diff-id=1,diff-type=compliant]
----
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;

public void decode() {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
}
----

For `XMLInputFactory` set `SUPPORT_DTD` to `false`.

[source,java,diff-id=2,diff-type=compliant]
----
import javax.xml.stream.XMLInputFactory;

public void decode() {
    XMLInputFactory factory = XMLInputFactory.newInstance();
    factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
}
----

Other combinations of settings are secure, but in general, it is recommendable
to use the approaches shown here, as they are the most clear.

=== How does this work?

include::../../common/fix/xxe.adoc[]

=== Going the extra mile

==== Disable entity expansion

Specifically for `DocumentBuilderFactory`, it is possible to disable the entity
expansion. Note, however, that this does not prevent the retrieval of external
entities.

[source, java]
----
factory.setExpandEntityReferences(false);
----
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`== How to fix it in Java SE`

			`=== Code examples`

			`include::../../common/fix/code-rationale.adoc[]`

			`==== Noncompliant code example`

Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`[source,java,diff-id=1,diff-type=noncompliant]`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`----`
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`import javax.xml.XMLConstants;`
			`import javax.xml.parsers.DocumentBuilderFactory;`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`public void decode() {`
			`DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant`
			`}`
			`----`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`[source,java,diff-id=2,diff-type=noncompliant]`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`----`
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`import javax.xml.stream.XMLInputFactory;`

			`public void decode() {`
			`XMLInputFactory factory = XMLInputFactory.newInstance(); // Noncompliant`
			`}`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`----`

Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`==== Compliant solution`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			For `DocumentBuilderFactory`, `SAXParserFactory`, `TransformerFactory`, and
			`SchemaFactory` set `XMLConstants.FEATURE_SECURE_PROCESSING` to `true`.

			`[source,java,diff-id=1,diff-type=compliant]`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`----`
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`import javax.xml.XMLConstants;`
			`import javax.xml.parsers.DocumentBuilderFactory;`

			`public void decode() {`
			`DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();`
			`factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);`
			`}`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`----`

Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			For `XMLInputFactory` set `SUPPORT_DTD` to `false`.
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`[source,java,diff-id=2,diff-type=compliant]`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`----`
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`import javax.xml.stream.XMLInputFactory;`

			`public void decode() {`
			`XMLInputFactory factory = XMLInputFactory.newInstance();`
			`factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);`
			`}`
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`----`

Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00			`Other combinations of settings are secure, but in general, it is recommendable`
			`to use the approaches shown here, as they are the most clear.`

Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			`=== How does this work?`

			`include::../../common/fix/xxe.adoc[]`

			`=== Going the extra mile`

			`==== Disable entity expansion`
Modify rule S2755: Simplify how to fix it section (#4215) 2024-09-03 17:52:33 +02:00
Modify rule S2755: LaYC format (#2245) 2023-06-22 11:25:00 +02:00			Specifically for `DocumentBuilderFactory`, it is possible to disable the entity
			`expansion. Note, however, that this does not prevent the retrieval of external`
			`entities.`

			`[source, java]`
			`----`
			`factory.setExpandEntityReferences(false);`
			`----`