Injection: XXE: Jaxb2Marshaller#setProcessExternalEntities set to true :: Recipe Details

Recipe Name:

Injection: XXE: Jaxb2Marshaller#setProcessExternalEntities set to true

Description:

Prevent XXE by disabling the processing of external entities

Level:

error

Language:

java

Tags:

Spring
security
XXE
framework specific
Spring XML
OWASP Top 10

Documentation

When the XML processor is not configured correctly to handle references and entities, it may be susceptible to so-called XML external entities (XXE) attacks.

The setting .setProcessExternalEntities(true) allows the processing of XML entities. This flag will also set .setSupportDtd() to true. Safeguard the application from XML External Entity injection attacks (XXE) with the setting .setProcessExternalEntities(false), which will prevent the resolving of external entities.

Before

jaxb2Marshaller.setProcessExternalEntities(true)

After

jaxb2Marshaller.setProcessExternalEntities(false);

Resources

OWASP Cheatsheet - XML External Entity Prevention

Recipe

id: scw:spring:xml:xxe-Jaxb2Marshaller-setProcessExternalEntities
version: 10
metadata:
  name: 'Injection: XXE: Jaxb2Marshaller#setProcessExternalEntities set to true'
  shortDescription: Prevent XXE by disabling the processing of external entities
  level: error
  language: java
  scwCategory: injection:xml
  cweCategory: 611
  enabled: true
  descriptionFile: descriptions/InjectionXXEJaxb2MarshallersetProcessExternalEntitiessettotrue.html
  tags: Spring;security;XXE;framework specific;Spring XML;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "true"
    name: setProcessExternalEntities
    type: org.springframework.oxm.jaxb.Jaxb2Marshaller
availableFixes:
- name: Set setProcessExternalEntities to false
  actions:
  - modifyArguments:
      rewrite:
        1: "false"