Recipe Name:
Injection: XXE: SourceHttpMessageConverter#setSupportDtd set to true
Description:
Prevent XXE by disabling DTDs
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • XXE
  • framework specific
  • Spring XML
  • OWASP Top 10
Documentation
Disabling the parsing of DTDs (Document Type Definition) is the most secure way to prevent XML External Entity injection (XXE), and some Denial of Service attacks.
Before:sourceHttpMessageConverter.setSupportDtd(true);
After:sourceHttpMessageConverter.setSupportDtd(false);

Resources

Recipe
id: scw:spring:xml:xxe-SourceHttpMessageConverter-setSupportDtd
version: 10
metadata:
  name: 'Injection: XXE: SourceHttpMessageConverter#setSupportDtd set to true'
  shortDescription: Prevent XXE by disabling DTDs
  level: error
  language: java
  scwCategory: injection:xml
  cweCategory: 611
  enabled: true
  descriptionFile: descriptions/InjectionXXESourceHttpMessageConvertersetSupportDtdsettotrue.html
  tags: Spring;security;XXE;framework specific;Spring XML;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "true"
    name: setSupportDtd
    type: org.springframework.http.converter.xml.SourceHttpMessageConverter
availableFixes:
- name: Set .setSupportDtd() to false
  actions:
  - modifyArguments:
      rewrite:
        1: "false"