Create rule S6373[Java]: XML parsers should not allow inclusion of arbitrary files (#547)

rules/S6373/description.adoc

@@ -0,0 +1,15 @@
+XML standard allows the inclusion of xml files with the https://www.w3.org/TR/xinclude-11/[xinclude] element.
+
+XML processors will replace an xinclude element with the content of the file located at the URI defined in the href attribute, potentially from an external storage such as file system or network, which may lead, if no restrictions are put in place, to arbitrary file disclosures or https://www.owasp.org/index.php/Server_Side_Request_Forgery[server-side request forgery (SSRF)] vulnerabilities.
+
+----
+<?xml version="1.0" encoding="utf-8"?>
+<person>
+  <name>foo</name>  
+  <city>bar</city>
+  <age>18</age>
+  <xi:include parse="text" href="file:///etc/passwd"/>
+</person>
+----
+
+

rules/S6373/java/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6373/java/rule.adoc

@@ -0,0 +1,70 @@
+include::../description.adoc[]
+== Noncompliant Code Example
+
+For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
+
+----
+factory.setXIncludeAware(true); // Noncompliant
+// or
+factory.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
+----
+
+For https://dom4j.github.io/[Dom4j] library:
+
+----
+SAXReader xmlReader = new SAXReader();
+xmlReader.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
+----
+
+For http://www.jdom.org/[Jdom2] library:
+
+----
+SAXBuilder builder = new SAXBuilder();
+builder.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
+----
+
+== Compliant Solution
+
+Xinclude is disabled by default and can be explicitely disabled like below.  
+
+For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
+
+----
+factory.setXIncludeAware(false);
+// or
+factory.setFeature("http://apache.org/xml/features/xinclude", false);
+----
+
+For https://dom4j.github.io/[Dom4j] library:
+
+----
+SAXReader xmlReader = new SAXReader(); 
+xmlReader.setFeature("http://apache.org/xml/features/xinclude", false);
+----
+
+For http://www.jdom.org/[Jdom2] library:
+
+----
+SAXBuilder builder = new SAXBuilder();
+builder.setFeature("http://apache.org/xml/features/xinclude", false);
+----
+
+== See
+
+* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
+* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
+* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
+* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
+* http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+
+'''
+endif::env-github,rspecator-view[]

rules/S6373/message.adoc

@@ -0,0 +1,4 @@
+=== Message
+
+Disable the inclusion of files in XML processing.
+

rules/S6373/metadata.json

@@ -0,0 +1,39 @@
+{
+  "title": "XML parsers should not allow inclusion of arbitrary files",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "15min"
+  },
+  "tags": [
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6373",
+  "sqKey": "S6373",
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      611,
+      827
+    ],
+    "OWASP": [
+      "A4"
+    ],
+    "OWASP Top 10 2021": [
+      "A5"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}

rules/S6373/rule.adoc

@@ -0,0 +1,4 @@
+include::description.adoc[]
+
+include::see.adoc[]
+

rules/S6373/see.adoc

@@ -0,0 +1,6 @@
+== See
+
+* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
+* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html[OWASP XXE Prevention Cheat Sheet]
+* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
+* http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition