rspec/rules/S4435/java/rule.adoc

An XML External Entity or XSLT External Entity (XXE) vulnerability can occur when a ``++javax.xml.transform.Transformer++`` is created without enabling "Secure Processing" or when one is created without disabling resolving of both external DTDs and DTD entities. If that external data is being controlled by an attacker it may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.


This rule raises an issue when a ``++Transformer++`` is created without either of these settings.


== Noncompliant Code Example

----
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.transform(input, result);
----


== Compliant Solution

Recommended:


----
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Transformer transformer = factory.newTransformer();

transformer.transform(input, result);
----

Implementation dependent:


----
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Transformer transformer = factory.newTransformer();

transformer.transform(input, result);
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory[OWASP XXE Cheat Sheet]
* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Improper Restriction of XML External Entity Reference ('XXE')
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XXE_DTD_TRANSFORM_FACTORY[XXE_DTD_TRANSFORM_FACTORY]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XXE_XSLT_TRANSFORM_FACTORY[XXE_XSLT_TRANSFORM_FACTORY]
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			An XML External Entity or XSLT External Entity (XXE) vulnerability can occur when a ``++javax.xml.transform.Transformer++`` is created without enabling "Secure Processing" or when one is created without disabling resolving of both external DTDs and DTD entities. If that external data is being controlled by an attacker it may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.


			This rule raises an issue when a ``++Transformer++`` is created without either of these settings.

Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`== Noncompliant Code Example`

			`----`
			`Transformer transformer = TransformerFactory.newInstance().newTransformer();`
			`transformer.transform(input, result);`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`== Compliant Solution`

			`Recommended:`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`TransformerFactory factory = TransformerFactory.newInstance();`
			`factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");`
			`factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");`

			`Transformer transformer = factory.newTransformer();`

			`transformer.transform(input, result);`
			`----`

			`Implementation dependent:`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`TransformerFactory factory = TransformerFactory.newInstance();`
			`factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);`

			`Transformer transformer = factory.newTransformer();`

			`transformer.transform(input, result);`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)`
			`* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory[OWASP XXE Cheat Sheet]`
			`* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Improper Restriction of XML External Entity Reference ('XXE')`
			`* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XXE_DTD_TRANSFORM_FACTORY[XXE_DTD_TRANSFORM_FACTORY]`
			`* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XXE_XSLT_TRANSFORM_FACTORY[XXE_XSLT_TRANSFORM_FACTORY]`