Sensei Logo Sensei Hub

Recipe - XXE: XMLInputFactory: Add IS_SUPPORTING_EXTERNAL_ENTITIES feature

Description:
Could lead to XXE
Level:
error
Language:
  • java
Tags:
  • security
  • XXE
  • basic protection set
  • OWASP Top 10
Documentation

When the XML processor is not configured correctly to handle references and entities, it may be susceptible to so-called XML external entities (XXE) attacks.

In order to prevent XXE vulnerabilities, the XML processor needs to be configured correctly. As stated on the OWASP XXE Cheat Sheet: "The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);. If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that's specific to each parser." For specific instructions per parser we refer to the OWASP XXE Cheat Sheet as well.

Resources
Recipe
id: scw:xxe:xmlinputfactory-missing-is_supporting
version: 10
metadata:
  name: 'XXE: XMLInputFactory: Add IS_SUPPORTING_EXTERNAL_ENTITIES feature'
  shortDescription: Could lead to XXE
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:xml
  cweCategory: 611
  enabled: true
  descriptionFile: Java/XML/descriptions/XXE.html
  tags: security;XXE;basic protection set;OWASP Top 10
search:
  methodcall:
    not:
      followedBy:
        methodcall:
          args:
            1:
              referenceTo:
                name: javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES
          name: setProperty
    name: newFactory
    declaration:
      type: javax.xml.stream.XMLInputFactory
availableFixes:
- name: Set Support for External Entities to false
  actions:
  - addMethodCall:
      name: setProperty
      arguments:
      - javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES
      - "false"
      position: first-available-spot