ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2755/cfamily/rule.adoc

92 lines
3.2 KiB
Plaintext
Raw Normal View History

Add missing rules because of approximative section names
2020-06-30 14:41:58 +02:00
include::../description.adoc[]
== Noncompliant Code Example
http://xerces.apache.org/[Xerces] XercesDOMParser library:
----
#include "xercesc/parsers/XercesDOMParser.hpp"
XercesDOMParser *DOMparser = new XercesDOMParser();
// no entity reference node will be created so the entities will be expanded
DOMparser->setCreateEntityReferenceNodes(false); // Noncompliant
DOMparser->setDisableDefaultEntityResolution(false); // Noncompliant
DOMparser->parse(xmlFile);
----
http://xerces.apache.org/[Xerces] SAX2XMLReader library:
----
#include "xercesc/sax2/SAX2XMLReader.hpp"
SAX2XMLReader* reader = XMLReaderFactory::createXMLReader(); // Noncompliant: by default entities resolution is enabled so SAX2XMLReader is not safe
reader->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, false); // Noncompliant: enable resolution of entities explicitly
reader->parse(xmlFile);
----
http://xerces.apache.org/[Xerces] SAXParser library:
----
#include "xercesc/parsers/SAXParser.hpp"
SAXParser* SAXparser = new SAXParser(); // Noncompliant: by default entities resolution is enabled so SAXParser is not safe
SAXparser->setDisableDefaultEntityResolution(false); // Noncompliant: enable resolution of entities explicitly
SAXparser->parse(xmlFile);
----
http://xmlsoft.org/[LibXML2] library:
----
#include "libxml/parser.h"
xmlDocPtr doc = xmlReadFile(xmlFile, nullptr, XML_PARSE_DTDLOAD | XML_PARSE_NOENT); // Noncompliant
----
== Compliant Solution
http://xerces.apache.org/[Xerces] XercesDOMParser library:
----
#include "xercesc/parsers/XercesDOMParser.hpp"
XercesDOMParser *DOMparser = new XercesDOMParser(); // by default XercesDOMParser is safe
DOMparser->setCreateEntityReferenceNodes(true); // Compliant: explicitly make the parser safe to XXE vulnerability
DOMparser->setDisableDefaultEntityResolution(true); // Compliant
DOMparser->parse(xmlFile);
----
http://xerces.apache.org/[Xerces] SAX2XMLReader library:
----
#include "xercesc/sax2/SAX2XMLReader.hpp"
SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();
reader->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true); // Compliant
reader->parse(xmlFile);
----
http://xerces.apache.org/[Xerces] SAXParser library:
----
#include "xercesc/parsers/SAXParser.hpp"
SAXParser* SAXparser = new SAXParser();
SAXparser->setDisableDefaultEntityResolution(true); // Compliant
SAXparser->parse(xmlFile);
----
http://xmlsoft.org/[LibXML2] library:
----
#include "libxml/parser.h"
xmlDocPtr doc = xmlReadFile(xmlFile, nullptr, 0); // Compliant: safe by default since version 2.9
----
== See
* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#libxerces-c[OWASP XXE Prevention Cheat Sheet for Xerces]
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#libxml2[OWASP XXE Prevention Cheat Sheet for LibXML2]
* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
* http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition
Reference in New Issue Copy Permalink