Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566)
This commit is contained in:
parent
0e8600ae42
commit
3b45c5467d
21
rules/S6376/description.adoc
Normal file
21
rules/S6376/description.adoc
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
An XML bomb / https://en.wikipedia.org/wiki/Billion_laughs_attack[billion laughs] attack is a malicious XML document containing the same large entity repeated over and over again. If no restrictions is in place, such a limit on the number of entity expansions, the XML processor can consume a lot memory and time during the parsing of such documents leading to Denial of Service.
|
||||||
|
|
||||||
|
----
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<!DOCTYPE lolz [
|
||||||
|
<!ENTITY lol "lol">
|
||||||
|
<!ELEMENT lolz (#PCDATA)>
|
||||||
|
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
|
||||||
|
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
|
||||||
|
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
|
||||||
|
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
|
||||||
|
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
|
||||||
|
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
|
||||||
|
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
|
||||||
|
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
|
||||||
|
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
|
||||||
|
]>
|
||||||
|
<lolz>&lol9;</lolz>
|
||||||
|
----
|
||||||
|
|
||||||
|
|
2
rules/S6376/java/metadata.json
Normal file
2
rules/S6376/java/metadata.json
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
{
|
||||||
|
}
|
85
rules/S6376/java/rule.adoc
Normal file
85
rules/S6376/java/rule.adoc
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
include::../description.adoc[]
|
||||||
|
|
||||||
|
== Noncompliant Code Example
|
||||||
|
|
||||||
|
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] and https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] JAPX factories:
|
||||||
|
|
||||||
|
----
|
||||||
|
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||||
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
||||||
|
|
||||||
|
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||||
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
||||||
|
|
||||||
|
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
||||||
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
||||||
|
|
||||||
|
TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
|
||||||
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
||||||
|
----
|
||||||
|
|
||||||
|
For https://dom4j.github.io/[Dom4j] library:
|
||||||
|
|
||||||
|
----
|
||||||
|
SAXReader xmlReader = new SAXReader();
|
||||||
|
xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
||||||
|
|
||||||
|
----
|
||||||
|
|
||||||
|
For http://www.jdom.org/[Jdom2] library:
|
||||||
|
|
||||||
|
----
|
||||||
|
SAXBuilder builder = new SAXBuilder();
|
||||||
|
builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
||||||
|
----
|
||||||
|
|
||||||
|
== Compliant Solution
|
||||||
|
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] and https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] JAPX factories:
|
||||||
|
|
||||||
|
----
|
||||||
|
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||||
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||||
|
|
||||||
|
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||||
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||||
|
|
||||||
|
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
||||||
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||||
|
|
||||||
|
TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
|
||||||
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||||
|
----
|
||||||
|
|
||||||
|
For https://dom4j.github.io/[Dom4j] library:
|
||||||
|
|
||||||
|
----
|
||||||
|
SAXReader xmlReader = new SAXReader();
|
||||||
|
xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||||
|
|
||||||
|
----
|
||||||
|
|
||||||
|
For http://www.jdom.org/[Jdom2] library:
|
||||||
|
|
||||||
|
----
|
||||||
|
SAXBuilder builder = new SAXBuilder();
|
||||||
|
builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||||
|
----
|
||||||
|
|
||||||
|
== See
|
||||||
|
|
||||||
|
* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
|
||||||
|
* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
|
||||||
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
|
||||||
|
* http://cwe.mitre.org/data/definitions/776.html[MITRE, CWE-776] - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
|
||||||
|
|
||||||
|
ifdef::env-github,rspecator-view[]
|
||||||
|
|
||||||
|
'''
|
||||||
|
== Implementation Specification
|
||||||
|
(visible only on this page)
|
||||||
|
|
||||||
|
include::../message.adoc[]
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
endif::env-github,rspecator-view[]
|
4
rules/S6376/message.adoc
Normal file
4
rules/S6376/message.adoc
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
=== Message
|
||||||
|
|
||||||
|
Enable XML parsing limitations to prevent Denial of Service attacks.
|
||||||
|
|
38
rules/S6376/metadata.json
Normal file
38
rules/S6376/metadata.json
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
{
|
||||||
|
"title": "XML parsers should not be vulnerable to Denial of Service attacks",
|
||||||
|
"type": "VULNERABILITY",
|
||||||
|
"status": "ready",
|
||||||
|
"remediation": {
|
||||||
|
"func": "Constant\/Issue",
|
||||||
|
"constantCost": "15min"
|
||||||
|
},
|
||||||
|
"tags": [
|
||||||
|
],
|
||||||
|
"extra": {
|
||||||
|
"replacementRules": [
|
||||||
|
|
||||||
|
],
|
||||||
|
"legacyKeys": [
|
||||||
|
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"defaultSeverity": "Major",
|
||||||
|
"ruleSpecification": "RSPEC-6376",
|
||||||
|
"sqKey": "S6376",
|
||||||
|
"scope": "Main",
|
||||||
|
"securityStandards": {
|
||||||
|
"CWE": [
|
||||||
|
776
|
||||||
|
],
|
||||||
|
"OWASP": [
|
||||||
|
"A4"
|
||||||
|
],
|
||||||
|
"OWASP Top 10 2021": [
|
||||||
|
"A5"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"defaultQualityProfiles": [
|
||||||
|
"Sonar way"
|
||||||
|
],
|
||||||
|
"quickfix": "unknown"
|
||||||
|
}
|
4
rules/S6376/rule.adoc
Normal file
4
rules/S6376/rule.adoc
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
include::description.adoc[]
|
||||||
|
|
||||||
|
include::see.adoc[]
|
||||||
|
|
5
rules/S6376/see.adoc
Normal file
5
rules/S6376/see.adoc
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
== See
|
||||||
|
|
||||||
|
* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
|
||||||
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html[OWASP XXE Prevention Cheat Sheet]
|
||||||
|
* http://cwe.mitre.org/data/definitions/776.html[MITRE, CWE-776] - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
|
Loading…
x
Reference in New Issue
Block a user