Recipe Name:
XXE: Set secure processing feature to true
Description:
Could lead to XXE
Level:
error
Language:
- java
Tags:
- security
- XML
- basic protection set
- XXE
- OWASP Top 10
Documentation
Secure coding practices prescribe that all XML processors should be configured to enable the secure processing features. This feature should be enabled explicitly where applicable.
An instance of a factory should have the secure processing feature enabled before creating a new instance of the desired XML processor. This can be achieved by using one of the following methods:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setSchema(Schema);
Where factory is an instance of:
- DocumentBuilderFactory
- TransformerFactory
- SAXParserFactory
- SchemaFactory
- XPathFactory
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.XMLConstants;
...
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setValidating(false);
documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Resources
Recipe
id: scw:xml:secure-processing-true
version: 10
metadata:
name: 'XXE: Set secure processing feature to true'
shortDescription: Could lead to XXE
level: error
language: java
newCodeOnly: false
scwCategory: injection:xml
cweCategory: 611
enabled: true
descriptionFile: Java/XML/descriptions/java_enable_xml_secure_processing.html
tags: security;XML;basic protection set;XXE;OWASP Top 10
search:
methodcall:
args:
1:
referenceTo:
name: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
2:
type: boolean
value:
stringified: "false"
name: setFeature
availableFixes:
- name: Set Secure Processing to true
actions:
- rewrite:
to: '{{{ expressionElement }}}({{{ arguments.0 }}}, true)'