From aa10281f1bc79627ce40b2e820b45a887c4865e3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 18 Jan 2022 08:36:38 +0100 Subject: [PATCH] Create rule S6373[Java]: XML parsers should not allow inclusion of arbitrary files (#547) --- rules/S6373/description.adoc | 15 ++++++++ rules/S6373/java/metadata.json | 2 + rules/S6373/java/rule.adoc | 70 ++++++++++++++++++++++++++++++++++ rules/S6373/message.adoc | 4 ++ rules/S6373/metadata.json | 39 +++++++++++++++++++ rules/S6373/rule.adoc | 4 ++ rules/S6373/see.adoc | 6 +++ 7 files changed, 140 insertions(+) create mode 100644 rules/S6373/description.adoc create mode 100644 rules/S6373/java/metadata.json create mode 100644 rules/S6373/java/rule.adoc create mode 100644 rules/S6373/message.adoc create mode 100644 rules/S6373/metadata.json create mode 100644 rules/S6373/rule.adoc create mode 100644 rules/S6373/see.adoc diff --git a/rules/S6373/description.adoc b/rules/S6373/description.adoc new file mode 100644 index 0000000000..0d8e36da22 --- /dev/null +++ b/rules/S6373/description.adoc @@ -0,0 +1,15 @@ +XML standard allows the inclusion of xml files with the https://www.w3.org/TR/xinclude-11/[xinclude] element. + +XML processors will replace an xinclude element with the content of the file located at the URI defined in the href attribute, potentially from an external storage such as file system or network, which may lead, if no restrictions are put in place, to arbitrary file disclosures or https://www.owasp.org/index.php/Server_Side_Request_Forgery[server-side request forgery (SSRF)] vulnerabilities. + +---- + + + foo + bar + 18 + + +---- + + diff --git a/rules/S6373/java/metadata.json b/rules/S6373/java/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S6373/java/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6373/java/rule.adoc b/rules/S6373/java/rule.adoc new file mode 100644 index 0000000000..d7052c0915 --- /dev/null +++ b/rules/S6373/java/rule.adoc @@ -0,0 +1,70 @@ +include::../description.adoc[] +== Noncompliant Code Example + +For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories: + +---- +factory.setXIncludeAware(true); // Noncompliant +// or +factory.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant +---- + +For https://dom4j.github.io/[Dom4j] library: + +---- +SAXReader xmlReader = new SAXReader(); +xmlReader.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant +---- + +For http://www.jdom.org/[Jdom2] library: + +---- +SAXBuilder builder = new SAXBuilder(); +builder.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant +---- + +== Compliant Solution + +Xinclude is disabled by default and can be explicitely disabled like below. + +For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories: + +---- +factory.setXIncludeAware(false); +// or +factory.setFeature("http://apache.org/xml/features/xinclude", false); +---- + +For https://dom4j.github.io/[Dom4j] library: + +---- +SAXReader xmlReader = new SAXReader(); +xmlReader.setFeature("http://apache.org/xml/features/xinclude", false); +---- + +For http://www.jdom.org/[Jdom2] library: + +---- +SAXBuilder builder = new SAXBuilder(); +builder.setFeature("http://apache.org/xml/features/xinclude", false); +---- + +== See + +* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack +* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) +* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet] +* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference +* http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + + +''' +endif::env-github,rspecator-view[] diff --git a/rules/S6373/message.adoc b/rules/S6373/message.adoc new file mode 100644 index 0000000000..3423e462c2 --- /dev/null +++ b/rules/S6373/message.adoc @@ -0,0 +1,4 @@ +=== Message + +Disable the inclusion of files in XML processing. + diff --git a/rules/S6373/metadata.json b/rules/S6373/metadata.json new file mode 100644 index 0000000000..359e2a541f --- /dev/null +++ b/rules/S6373/metadata.json @@ -0,0 +1,39 @@ +{ + "title": "XML parsers should not allow inclusion of arbitrary files", + "type": "VULNERABILITY", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "15min" + }, + "tags": [ + ], + "extra": { + "replacementRules": [ + + ], + "legacyKeys": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6373", + "sqKey": "S6373", + "scope": "Main", + "securityStandards": { + "CWE": [ + 611, + 827 + ], + "OWASP": [ + "A4" + ], + "OWASP Top 10 2021": [ + "A5" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6373/rule.adoc b/rules/S6373/rule.adoc new file mode 100644 index 0000000000..d20a63fc54 --- /dev/null +++ b/rules/S6373/rule.adoc @@ -0,0 +1,4 @@ +include::description.adoc[] + +include::see.adoc[] + diff --git a/rules/S6373/see.adoc b/rules/S6373/see.adoc new file mode 100644 index 0000000000..505747cf5b --- /dev/null +++ b/rules/S6373/see.adoc @@ -0,0 +1,6 @@ +== See + +* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) +* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html[OWASP XXE Prevention Cheat Sheet] +* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference +* http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition