Recipe Name:
Injection: XXE: Jaxb2Marshaller#setSupportDtd set to true
Description:
Prevent XXE by disabling DTDs
Level:
error
Language:
- java
Tags:
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Documentation
When the XML processor is not configured correctly to handle references and entities, it may be susceptible to so-called XML external entities (XXE) attacks.
Disabling the parsing of DTDs (Document Type Definition) is the most secure way to prevent XML External Entity injection (XXE), and some Denial of Service attacks.
Beforejaxb2Marshaller.setSupportDtd(true);After
jaxb2Marshaller.setSupportDtd(false);Resources
Recipe
id: scw:spring:xml:xxe-Jaxb2Marshaller-setSupportDtd version: 10 metadata: name: 'Injection: XXE: Jaxb2Marshaller#setSupportDtd set to true' shortDescription: Prevent XXE by disabling DTDs level: error language: java scwCategory: injection:xml cweCategory: 611 enabled: true descriptionFile: descriptions/InjectionXXEJaxb2MarshallersetSupportDtdsettotrue.html tags: Spring;security;XXE;framework specific;Spring XML;OWASP Top 10 search: methodcall: args: 1: type: boolean value: stringified: "true" name: setSupportDtd type: org.springframework.oxm.jaxb.Jaxb2Marshaller availableFixes: - name: Set setSupportDtd to false actions: - modifyArguments: rewrite: 1: "false"