ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4435/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

81 lines
2.5 KiB
Plaintext
Raw Blame History

== Why is this an issue?
An XML External Entity or XSLT External Entity (XXE) vulnerability can occur when a ``++javax.xml.transform.Transformer++`` is created without enabling "Secure Processing" or when one is created without disabling resolving of both external DTDs and DTD entities. If that external data is being controlled by an attacker it may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
This rule raises an issue when a ``++Transformer++`` is created without either of these settings.
=== Noncompliant code example
[source,java]
----
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.transform(input, result);
----
=== Compliant solution
Recommended:
[source,java]
----
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = factory.newTransformer();
transformer.transform(input, result);
----
Implementation dependent:
[source,java]
----
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = factory.newTransformer();
transformer.transform(input, result);
----
== Resources
* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory[OWASP XXE Cheat Sheet]
* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Improper Restriction of XML External Entity Reference ('XXE')
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XXE_DTD_TRANSFORM_FACTORY[XXE_DTD_TRANSFORM_FACTORY]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XXE_XSLT_TRANSFORM_FACTORY[XXE_XSLT_TRANSFORM_FACTORY]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Secure this "Transformer" by either disabling external DTDs or enabling secure processing.
=== Highlighting
Transformer instance creation
'''
== Comments And Links
(visible only on this page)
=== on 25 Jan 2018, 14:21:11 Jean-Christophe Collet wrote:
Related to RSPEC-2755, but different API
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink