16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
103 lines
4.1 KiB
Plaintext
103 lines
4.1 KiB
Plaintext
== Why is this an issue?
|
|
|
|
include::../description.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] and https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] JAPX factories:
|
|
|
|
[source,java]
|
|
----
|
|
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
|
|
|
SAXParserFactory factory = SAXParserFactory.newInstance();
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
|
|
|
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
|
|
|
TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
|
----
|
|
|
|
For https://dom4j.github.io/[Dom4j] library:
|
|
|
|
[source,java]
|
|
----
|
|
SAXReader xmlReader = new SAXReader();
|
|
xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
|
|
|
----
|
|
|
|
For http://www.jdom.org/[Jdom2] library:
|
|
|
|
[source,java]
|
|
----
|
|
SAXBuilder builder = new SAXBuilder();
|
|
builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
|
|
----
|
|
|
|
=== Compliant solution
|
|
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] and https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] JAPX factories:
|
|
|
|
[source,java]
|
|
----
|
|
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
|
|
|
SAXParserFactory factory = SAXParserFactory.newInstance();
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
|
|
|
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
|
|
|
TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
|
|
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
|
----
|
|
|
|
For https://dom4j.github.io/[Dom4j] library:
|
|
|
|
[source,java]
|
|
----
|
|
SAXReader xmlReader = new SAXReader();
|
|
xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
|
|
|
----
|
|
|
|
For http://www.jdom.org/[Jdom2] library:
|
|
|
|
[source,java]
|
|
----
|
|
SAXBuilder builder = new SAXBuilder();
|
|
builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
|
----
|
|
|
|
== Resources
|
|
|
|
* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
|
|
* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
|
|
* https://cwe.mitre.org/data/definitions/776[MITRE, CWE-776] - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Enable XML parsing limitations to prevent Denial of Service attacks.
|
|
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:
|
|
Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.
|
|
|
|
endif::env-github,rspecator-view[]
|