== Why is this an issue? include::../description.adoc[] === Noncompliant code example For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories: [source,java] ---- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant SAXParserFactory factory = SAXParserFactory.newInstance(); // Noncompliant XMLInputFactory factory = XMLInputFactory.newInstance(); // Noncompliant TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance(); // Noncompliant SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); // Noncompliant ---- For https://dom4j.github.io/[Dom4j] library: [source,java] ---- SAXReader xmlReader = new SAXReader(); // Noncompliant ---- For http://www.jdom.org/[Jdom2] library: [source,java] ---- SAXBuilder builder = new SAXBuilder(); // Noncompliant ---- === Compliant solution For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories: [source,java] ---- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // to be compliant, completely disable DOCTYPE declaration: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // or completely disable external entities declarations: factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // or prohibit the use of all protocols by external entities: factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // or disable entity expansion but keep in mind that this doesn't prevent fetching external entities // and this solution is not correct for OpenJDK < 13 due to a bug: https://bugs.openjdk.java.net/browse/JDK-8206132 factory.setExpandEntityReferences(false); SAXParserFactory factory = SAXParserFactory.newInstance(); // to be compliant, completely disable DOCTYPE declaration: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // or completely disable external entities declarations: factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // or prohibit the use of all protocols by external entities: SAXParser parser = factory.newSAXParser(); // Noncompliant parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); XMLInputFactory factory = XMLInputFactory.newInstance(); // to be compliant, completely disable DOCTYPE declaration: factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // or completely disable external entities declarations: factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); // or prohibit the use of all protocols by external entities: factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance(); // to be compliant, prohibit the use of all protocols by external entities: factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); // to be compliant, completely disable DOCTYPE declaration: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // or prohibit the use of all protocols by external entities: factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); ---- For https://dom4j.github.io/[Dom4j] library: [source,java] ---- SAXReader xmlReader = new SAXReader(); xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); ---- For http://www.jdom.org/[Jdom2] library: [source,java] ---- SAXBuilder builder = new SAXBuilder(); builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); ---- == Resources * https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration * https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack * https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE) * https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet] * https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference * https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]