Injection: XXE: Jaxb2RootElementHttpMessageConverter#setSupportDtd set to true :: Recipe Details

Recipe Name:

Injection: XXE: Jaxb2RootElementHttpMessageConverter#setSupportDtd set to true

Description:

Prevent XXE by disabling DTDs

Level:

error

Language:

java

Tags:

Spring
security
XXE
framework specific
Spring XML
OWASP Top 10

Documentation

When the XML processor is not configured correctly to handle references and entities, it may be susceptible to so-called XML external entities (XXE) attacks.

Disabling the parsing of DTDs (Document Type Definition) is the most secure way to prevent XML External Entity injection (XXE), and some Denial of Service attacks.

Before

jaxb2RootElementHttpMessageConverter.setSupportDtd(true);

After

jaxb2RootElementHttpMessageConverter.setSupportDtd(false);

Resources

OWASP Cheatsheet - XML External Entity Prevention

Recipe

id: scw:spring:xml:xxe-Jaxb2RootElementHttpMessageConverter-setSupportDtd
version: 10
metadata:
  name: 'Injection: XXE: Jaxb2RootElementHttpMessageConverter#setSupportDtd set to true'
  shortDescription: Prevent XXE by disabling DTDs
  level: error
  language: java
  scwCategory: injection:xml
  cweCategory: 611
  enabled: true
  descriptionFile: descriptions/InjectionXXEJaxb2RootElementHttpMessageConvertersetSupportDtdsettotrue.html
  tags: Spring;security;XXE;framework specific;Spring XML;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "true"
    name: setSupportDtd
    type: org.springframework.http.converter.xml.Jaxb2RootElementHttpMessageConverter
availableFixes:
- name: Set setSupportDtd to false
  actions:
  - modifyArguments:
      rewrite:
        1: "false"