Sensei Logo Sensei Hub

Recipe - XML Injection: Set secure processing feature to true

Description:
Could lead to XML Injection
Level:
error
Language:
  • java
Tags:
  • security
  • XML
  • basic protection set
  • injection
  • OWASP Top 10
Documentation

Secure coding practices prescribe that all XML processors should be configured to enable the secure processing features. This feature should be enabled explicitly where applicable.

An instance of a factory should have the secure processing feature enabled before creating a new instance of the desired XML processor. This can be achieved by using one of the following methods:

factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setSchema(Schema);

Where factory is an instance of:

  • DocumentBuilderFactory
  • TransformerFactory
  • SAXParserFactory
  • SchemaFactory
  • XPathFactory
Correct code example:
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.XMLConstants;
...
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    documentBuilderFactory.setValidating(false);
    documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Resources
Recipe
id: scw:xml:secure-processing-true
version: 10
metadata:
  name: 'XML Injection: Set secure processing feature to true'
  shortDescription: Could lead to XML Injection
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:xml
  enabled: true
  descriptionFile: descriptions/java_enable_xml_secure_processing.html
  tags: security;XML;basic protection set;injection;OWASP Top 10
search:
  methodcall:
    args:
      1:
        referenceTo:
          name: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
      2:
        type: boolean
        value:
          stringified: "false"
    name: setFeature
availableFixes:
- name: Set Secure Processing to true
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}({{{ arguments.0 }}}, true)'