ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161)

Browse Source 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
This commit is contained in:
Sebastien Andrivet 2023-09-29 14:39:25 +02:00 committed by GitHub
parent 0f18b04ab8
commit cdf572bb12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 98 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/S6376/description.adoc
View File

@ -1,4 +0,0 @@
An XML bomb / https://en.wikipedia.org/wiki/Billion_laughs_attack[billion laughs] attack is a malicious XML document containing the same large entity repeated over and over again. If no restrictions is in place, such a limit on the number of entity expansions, the XML processor can consume a lot memory and time during the parsing of such documents leading to Denial of Service.

23
rules/S6376/java/how-to-fix-it/dom4j.adoc Normal file
View File

@ -0,0 +1,23 @@
== How to fix it in Dom4j
=== Code examples
==== Noncompliant code example
[source,java,diff-id=2,diff-type=noncompliant]
----
import org.dom4j.io.SAXReader;
SAXReader xmlReader = new SAXReader();
xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
----
==== Compliant solution
[source,java,diff-id=2,diff-type=compliant]
----
import org.dom4j.io.SAXReader;
SAXReader xmlReader = new SAXReader();
xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
----

23
rules/S6376/java/how-to-fix-it/java-se.adoc Normal file
View File

@ -0,0 +1,23 @@
== How to fix it in Java SE
=== Code examples
==== Noncompliant code example
[source,java,diff-id=1,diff-type=noncompliant]
----
import javax.xml.parsers.DocumentBuilderFactory;
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
----
==== Compliant solution
[source,java,diff-id=1,diff-type=compliant]
----
import javax.xml.parsers.DocumentBuilderFactory;
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
----

23
rules/S6376/java/how-to-fix-it/jdom2.adoc Normal file
View File

@ -0,0 +1,23 @@
== How to fix it in Jdom2
=== Code examples
==== Noncompliant code example
[source,java,diff-id=3,diff-type=noncompliant]
----
import org.jdom2.input.SAXBuilder;
SAXBuilder builder = new SAXBuilder();
builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
----
==== Compliant solution
[source,java,diff-id=3,diff-type=compliant]
----
import org.jdom2.input.SAXBuilder;
SAXBuilder builder = new SAXBuilder();
builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
----

96
rules/S6376/java/rule.adoc
View File

@ -1,84 +1,45 @@
XML parsers Denial of Service attacks target XML parsers, which are software components responsible for parsing and interpreting XML documents.
== Why is this an issue?
include::../description.adoc[]
XML files are complex data structures. When a malicious user is able to submit an XML file, it triggers complex processing that may overwhelm the parser. Most of the time, those complex processing are enabled by default, and XML parsers do not take preventive measures against Denial of Service attacks.
=== Noncompliant code example
=== What is the potential impact?
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] and https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] JAPX factories:
When an attacker successfully exploits the vulnerability, it can lead to a Denial of Service (DoS) condition.
[source,java]
----
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
=== System Unavailability
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
Affected system becomes unresponsive or crashes, rendering it unavailable to legitimate users. This can have severe consequences, especially for critical systems that rely on continuous availability, such as web servers, APIs, or network services.
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
=== Amplification Attacks
TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
----
In some cases, XML parsers Denial of Service attacks can be used as a part of larger-scale amplification attacks. By leveraging the vulnerability, attackers can generate a disproportionately large response from the targeted system, amplifying the impact of their attack. This can result in overwhelming network bandwidth and causing widespread disruption.
For https://dom4j.github.io/[Dom4j] library:
include::how-to-fix-it/java-se.adoc[]
[source,java]
----
SAXReader xmlReader = new SAXReader();
xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
include::how-to-fix-it/dom4j.adoc[]
----
For http://www.jdom.org/[Jdom2] library:
[source,java]
----
SAXBuilder builder = new SAXBuilder();
builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
----
=== Compliant solution
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] and https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] JAPX factories:
[source,java]
----
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
----
For https://dom4j.github.io/[Dom4j] library:
[source,java]
----
SAXReader xmlReader = new SAXReader();
xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
----
For http://www.jdom.org/[Jdom2] library:
[source,java]
----
SAXBuilder builder = new SAXBuilder();
builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
----
include::how-to-fix-it/jdom2.adoc[]
== Resources
* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
* https://cwe.mitre.org/data/definitions/776[MITRE, CWE-776] - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
=== Documentation
* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilderFactory Class]
* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/SAXParserFactory.html[SAXParserFactory Class]
* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/validation/SchemaFactory.html[SchemaFactory Class]
* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/transform/TransformerFactory.html[TransformerFactory Class]
* Java Documentation - https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html[Java API for XML Processing (JAXP) Security Guide]
* Dom4j Documentation - https://dom4j.github.io/javadoc/2.1.4/org/dom4j/io/SAXReader.html[SAXReader Class]
* Jdom2 Documentation - http://www.jdom.org/docs/apidocs/org/jdom2/input/SAXBuilder.html[SAXBuilder class]
* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[XXE Prevention Cheat Sheet]
=== Standards
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4 - XML External Entities (XXE)]
* CWE - https://cwe.mitre.org/data/definitions/776[CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')]
ifdef::env-github,rspecator-view[]
@ -91,7 +52,6 @@ ifdef::env-github,rspecator-view[]
Enable XML parsing limitations to prevent Denial of Service attacks.
'''
== Comments And Links
(visible only on this page)