rspec/rules/S6374/java/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:

[source,java]
----
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setValidating(true); // Noncompliant
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant

SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setValidating(true); // Noncompliant
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant

SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
schemaFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant
----

For https://dom4j.github.io/[Dom4j] library:

[source,java]
----
SAXReader xmlReader = new SAXReader(); // Noncompliant
xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);  // Noncompliant

----

For http://www.jdom.org/[Jdom2] library:

[source,java]
----
SAXBuilder builder = new SAXBuilder(); 
builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant
----

=== Compliant solution
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:

[source,java]
----
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 

SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 

SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
schemaFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
----

For https://dom4j.github.io/[Dom4j] library:

[source,java]
----
SAXReader xmlReader = new SAXReader(); // Noncompliant
xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); 

----

For http://www.jdom.org/[Jdom2] library:

[source,java]
----
SAXBuilder builder = new SAXBuilder(); 
builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
----

=== Exceptions
This rules does not raise an issue when an `EntityResolver` is set.
----
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setValidating(true);
DocumentBuilder builder = factory.newDocumentBuilder();
builder.setEntityResolver(new MyEntityResolver());

SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
builder.setEntityResolver(new EntityResolver());
----

== Resources

* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
* https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00
			`For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`----`
			`DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();`
			`factory.setValidating(true); // Noncompliant`
			`factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant`

			`SAXParserFactory factory = SAXParserFactory.newInstance();`
			`factory.setValidating(true); // Noncompliant`
			`factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant`

			`SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);`
			`schemaFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant`
			`----`

			`For https://dom4j.github.io/[Dom4j] library:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`----`
			`SAXReader xmlReader = new SAXReader(); // Noncompliant`
			`xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant`

			`----`

			`For http://www.jdom.org/[Jdom2] library:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`----`
			`SAXBuilder builder = new SAXBuilder();`
			`builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`----`
			`DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();`
			`factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);`

			`SAXParserFactory factory = SAXParserFactory.newInstance();`
			`factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);`

			`SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);`
			`schemaFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);`
			`----`

			`For https://dom4j.github.io/[Dom4j] library:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`----`
			`SAXReader xmlReader = new SAXReader(); // Noncompliant`
			`xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);`

			`----`

			`For http://www.jdom.org/[Jdom2] library:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`----`
			`SAXBuilder builder = new SAXBuilder();`
			`builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Exceptions`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			This rules does not raise an issue when an `EntityResolver` is set.
			`----`
			`DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();`
			`factory.setValidating(true);`
			`DocumentBuilder builder = factory.newDocumentBuilder();`
			`builder.setEntityResolver(new MyEntityResolver());`

			`SAXBuilder builder = new SAXBuilder();`
			`builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);`
			`builder.setEntityResolver(new EntityResolver());`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00
			`* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference`
			`* https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`


			`'''`
Document quick fixes for S2755, S6373, S6374, S6376 and S6377 (#745) 2022-01-25 13:38:33 +01:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Create rule S6374[Java] XML parsers should not load external schemas (#551) 2022-01-24 15:54:34 +01:00			`endif::env-github,rspecator-view[]`