16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
114 lines
4.5 KiB
Plaintext
114 lines
4.5 KiB
Plaintext
== Why is this an issue?
|
|
|
|
include::../description.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
|
|
|
|
[source,java]
|
|
----
|
|
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
factory.setValidating(true); // Noncompliant
|
|
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant
|
|
|
|
SAXParserFactory factory = SAXParserFactory.newInstance();
|
|
factory.setValidating(true); // Noncompliant
|
|
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant
|
|
|
|
SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
|
schemaFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant
|
|
----
|
|
|
|
For https://dom4j.github.io/[Dom4j] library:
|
|
|
|
[source,java]
|
|
----
|
|
SAXReader xmlReader = new SAXReader(); // Noncompliant
|
|
xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant
|
|
|
|
----
|
|
|
|
For http://www.jdom.org/[Jdom2] library:
|
|
|
|
[source,java]
|
|
----
|
|
SAXBuilder builder = new SAXBuilder();
|
|
builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); // Noncompliant
|
|
----
|
|
|
|
=== Compliant solution
|
|
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
|
|
|
|
[source,java]
|
|
----
|
|
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
|
|
|
SAXParserFactory factory = SAXParserFactory.newInstance();
|
|
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
|
|
|
SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
|
schemaFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
|
----
|
|
|
|
For https://dom4j.github.io/[Dom4j] library:
|
|
|
|
[source,java]
|
|
----
|
|
SAXReader xmlReader = new SAXReader(); // Noncompliant
|
|
xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
|
|
|
----
|
|
|
|
For http://www.jdom.org/[Jdom2] library:
|
|
|
|
[source,java]
|
|
----
|
|
SAXBuilder builder = new SAXBuilder();
|
|
builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
|
----
|
|
|
|
=== Exceptions
|
|
This rules does not raise an issue when an `EntityResolver` is set.
|
|
[source,java]
|
|
----
|
|
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
factory.setValidating(true);
|
|
DocumentBuilder builder = factory.newDocumentBuilder();
|
|
builder.setEntityResolver(new MyEntityResolver());
|
|
|
|
SAXBuilder builder = new SAXBuilder();
|
|
builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
|
|
builder.setEntityResolver(new EntityResolver());
|
|
----
|
|
|
|
== Resources
|
|
|
|
* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
|
|
* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
|
|
* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
|
|
* https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Disable loading of external schemas in XML parsing.
|
|
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:
|
|
Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.
|
|
|
|
endif::env-github,rspecator-view[]
|