Recipe Name:
XXE: Set secure processing feature to true
Description:
Could lead to XXE
Level:
error
Language:
- java
Tags:
- security
- XML
- basic protection set
- XXE
- OWASP Top 10
Documentation
Secure coding practices prescribe that all XML processors should be configured to enable the secure processing features. This feature should be enabled explicitly where applicable.
An instance of a factory should have the secure processing feature enabled before creating a new instance of the desired XML processor. This can be achieved by using one of the following methods:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setSchema(Schema);
Where factory is an instance of:
- DocumentBuilderFactory
- TransformerFactory
- SAXParserFactory
- SchemaFactory
- XPathFactory
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.XMLConstants; ... DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setValidating(false); documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();Resources
Recipe
id: scw:xml:secure-processing-true version: 10 metadata: name: 'XXE: Set secure processing feature to true' shortDescription: Could lead to XXE level: error language: java newCodeOnly: false scwCategory: injection:xml cweCategory: 611 enabled: true descriptionFile: Java/XML/descriptions/java_enable_xml_secure_processing.html tags: security;XML;basic protection set;XXE;OWASP Top 10 search: methodcall: args: 1: referenceTo: name: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING 2: type: boolean value: stringified: "false" name: setFeature availableFixes: - name: Set Secure Processing to true actions: - rewrite: to: '{{{ expressionElement }}}({{{ arguments.0 }}}, true)'