Recipe Name:
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setProcessExternalEntities set to true
Description:
Prevent XXE by disabling the processing of External Entities
Level:
error
Language:
- java
Tags:
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Documentation
When the XML processor is not configured correctly to handle references and entities, it may be susceptible to so-called XML external entities (XXE) attacks.
The setting .setProcessExternalEntities(true)
allows the processing of XML entities. This flag will also set .setSupportDtd()
to true. Safeguard the application from XML External Entity injection attacks (XXE) with the setting .setProcessExternalEntities(false)
, which will prevent the resolving of external entities.
jaxb2RootElementHttpMessageConverter.setProcessExternalEntities(true);After
jaxb2RootElementHttpMessageConverter.setProcessExternalEntities(false);Resources
Recipe
id: scw:spring:xml:xxe-Jaxb2RootElementHttpMessageConverter-setProcessExternalEntities version: 10 metadata: name: 'Injection: XXE: Jaxb2RootElementHttpMessageConverter#setProcessExternalEntities set to true' shortDescription: Prevent XXE by disabling the processing of External Entities level: error language: java scwCategory: injection:xml cweCategory: 611 enabled: true descriptionFile: descriptions/InjectionXXEJaxb2RootElementHttpMessageConvertersetProcessExternalEntitiessettotrue.html tags: Spring;security;XXE;framework specific;Spring XML;OWASP Top 10 search: methodcall: args: 1: type: boolean value: stringified: "true" name: setProcessExternalEntities type: org.springframework.http.converter.xml.Jaxb2RootElementHttpMessageConverter availableFixes: - name: Set setProcessExternalEntities to false actions: - modifyArguments: rewrite: 1: "false"