71 lines
3.0 KiB
Plaintext
71 lines
3.0 KiB
Plaintext
include::../description.adoc[]
|
|
== Noncompliant Code Example
|
|
|
|
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
|
|
|
|
----
|
|
factory.setXIncludeAware(true); // Noncompliant
|
|
// or
|
|
factory.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
|
|
----
|
|
|
|
For https://dom4j.github.io/[Dom4j] library:
|
|
|
|
----
|
|
SAXReader xmlReader = new SAXReader();
|
|
xmlReader.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
|
|
----
|
|
|
|
For http://www.jdom.org/[Jdom2] library:
|
|
|
|
----
|
|
SAXBuilder builder = new SAXBuilder();
|
|
builder.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Xinclude is disabled by default and can be explicitely disabled like below.
|
|
|
|
For https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilder], https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html[SAXParser], https://docs.oracle.com/javase/9/docs/api/javax/xml/stream/XMLInputFactory.html[XMLInput], https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html[Transformer] and https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html[Schema] JAPX factories:
|
|
|
|
----
|
|
factory.setXIncludeAware(false);
|
|
// or
|
|
factory.setFeature("http://apache.org/xml/features/xinclude", false);
|
|
----
|
|
|
|
For https://dom4j.github.io/[Dom4j] library:
|
|
|
|
----
|
|
SAXReader xmlReader = new SAXReader();
|
|
xmlReader.setFeature("http://apache.org/xml/features/xinclude", false);
|
|
----
|
|
|
|
For http://www.jdom.org/[Jdom2] library:
|
|
|
|
----
|
|
SAXBuilder builder = new SAXBuilder();
|
|
builder.setFeature("http://apache.org/xml/features/xinclude", false);
|
|
----
|
|
|
|
== See
|
|
|
|
* https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC[Oracle Java Documentation] - XML External Entity Injection Attack
|
|
* https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[OWASP XXE Prevention Cheat Sheet]
|
|
* http://cwe.mitre.org/data/definitions/611.html[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
|
|
* http://cwe.mitre.org/data/definitions/827.html[MITRE, CWE-827] - Improper Control of Document Type Definition
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
|
|
'''
|
|
endif::env-github,rspecator-view[]
|