2021-06-25 12:20:10 +02:00
include::../description.adoc[]
2021-06-04 14:23:34 +02:00
== Noncompliant Code Example
2020-06-30 14:41:58 +02:00
2021-06-25 09:14:23 +02:00
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
2020-06-30 14:41:58 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant
2020-06-30 14:41:58 +02:00
2021-06-25 09:14:23 +02:00
SAXParserFactory factory = SAXParserFactory.newInstance(); // Noncompliant
2020-06-30 14:41:58 +02:00
2021-06-25 09:14:23 +02:00
XMLInputFactory factory = XMLInputFactory.newInstance(); // Noncompliant
2020-06-30 14:41:58 +02:00
2021-06-25 09:14:23 +02:00
TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance(); // Noncompliant
2020-06-30 14:41:58 +02:00
2021-06-25 09:14:23 +02:00
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); // Noncompliant
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
For https://dom4j.github.io/[Dom4j] library:
2020-06-30 14:41:58 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
SAXReader xmlReader = new SAXReader(); // Noncompliant
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
For http://www.jdom.org/[Jdom2] library:
2020-06-30 14:41:58 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
SAXBuilder builder = new SAXBuilder(); // Noncompliant
2020-06-30 14:41:58 +02:00
----
== Compliant Solution
2021-06-25 09:14:23 +02:00
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
2020-06-30 14:41:58 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// to be compliant, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or completely disable external entities declarations:
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// or prohibit the use of all protocols by external entities:
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
2022-02-15 17:51:53 +01:00
// or disable entity expansion but keep in mind that this doesn't prevent fetching external entities
// and this solution is not correct for OpenJDK < 13 due to a bug: https://bugs.openjdk.java.net/browse/JDK-8206132
factory.setExpandEntityReferences(false);
2020-06-30 14:41:58 +02:00
SAXParserFactory factory = SAXParserFactory.newInstance();
2021-06-25 09:14:23 +02:00
// to be compliant, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or completely disable external entities declarations:
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// or prohibit the use of all protocols by external entities:
SAXParser parser = factory.newSAXParser(); // Noncompliant
parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
2020-06-30 14:41:58 +02:00
XMLInputFactory factory = XMLInputFactory.newInstance();
2021-06-25 09:14:23 +02:00
// to be compliant, completely disable DOCTYPE declaration:
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// or completely disable external entities declarations:
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
// or prohibit the use of all protocols by external entities:
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
2020-06-30 14:41:58 +02:00
2021-06-25 09:14:23 +02:00
TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
// to be compliant, prohibit the use of all protocols by external entities:
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
2020-06-30 14:41:58 +02:00
2021-06-25 09:14:23 +02:00
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
// to be compliant, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or prohibit the use of all protocols by external entities:
2021-11-22 16:30:51 +01:00
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
For https://dom4j.github.io/[Dom4j] library:
2020-06-30 14:41:58 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 14:41:58 +02:00
----
2021-06-04 14:23:34 +02:00
SAXReader xmlReader = new SAXReader();
2021-06-25 09:14:23 +02:00
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
For http://www.jdom.org/[Jdom2] library:
2020-06-30 14:41:58 +02:00
2022-02-04 17:28:24 +01:00
[source,java]
2020-06-30 14:41:58 +02:00
----
2021-06-25 09:14:23 +02:00
SAXBuilder builder = new SAXBuilder();
builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
2020-06-30 14:41:58 +02:00
----
== See
2021-11-01 15:00:32 +01:00
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
2021-06-25 09:14:23 +02:00
* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
2020-06-30 14:41:58 +02:00
* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
* https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
