Sensei Logo Sensei Hub

Recipe - XML Injection: Set missing secure processing feature

Description:
Could lead to XML Injection
Level:
error
Language:
  • java
Tags:
  • security
  • XML
  • basic protection set
  • injection
  • OWASP Top 10
Documentation

Secure coding practices prescribe that all XML processors should be configured to enable the secure processing features. This feature should be enabled explicitly where applicable.

An instance of a factory should have the secure processing feature enabled before creating a new instance of the desired XML processor. This can be achieved by using one of the following methods:

factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setSchema(Schema);

Where factory is an instance of:

  • DocumentBuilderFactory
  • TransformerFactory
  • SAXParserFactory
  • SchemaFactory
  • XPathFactory
Correct code example:
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.XMLConstants;
...
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    documentBuilderFactory.setValidating(false);
    documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Resources
Recipe
id: scw:xml:missing-secure-processing
version: 10
metadata:
  name: 'XML Injection: Set missing secure processing feature'
  shortDescription: Could lead to XML Injection
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:xml
  enabled: true
  descriptionFile: descriptions/java_enable_xml_secure_processing.html
  tags: security;XML;basic protection set;injection;OWASP Top 10
search:
  methodcall:
    not:
      followedBy:
        methodcall:
          args:
            1:
              referenceTo:
                name: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
          name: setFeature
    name: newInstance
    declaration:
      type:
        reference:
          anyOf:
          - is: javax.xml.xpath.XPathFactory
          - is: javax.xml.validation.SchemaFactory
          - is: javax.xml.transform.TransformerFactory
          - is: javax.xml.parsers.SAXParserFactory
          - is: javax.xml.parsers.DocumentBuilderFactory
        checkInheritance: true
availableFixes:
- name: Set FEATURE_SECURE_PROCESSING true
  actions:
  - addMethodCall:
      name: setFeature
      arguments:
      - javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
      - "true"
      position: first-available-spot