Recipe Name:
Input Validation: Avoid XXE: Use automatically protected source types
Description:
Could lead to XXE
Level:
error
Language:
- java
Tags:
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Documentation
Secure coding practices prescribe to pass source implementations that do not require manual parsing to the unmarshaller, i.e. either SAXSource or StreamSource.
There are four possible source implementations passed to the unmarshaller: DOMSource, StAXSource, SAXSource and StreamSource.
- For a
DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE. - For a
StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting against XXE. - For
SAXSourceandStreamSourceinstances, Spring has disabled external entity processing by default, protecting it from XXE.
It is recommended to use source implementations where external entity processing is handled by the framework, i.e. SAXSource or StreamSource.
Recipe
id: scw:spring:xml:xxe-protected-sources
version: 10
metadata:
name: 'Input Validation: Avoid XXE: Use automatically protected source types'
shortDescription: Could lead to XXE
level: error
language: java
newCodeOnly: false
scwCategory: injection:xml
cweCategory: 611
enabled: true
descriptionFile: descriptions/Input_Validation__Avoid_XXE__Use_automatically_protected_source_types.html
tags: Spring;security;XXE;framework specific;Spring XML;OWASP Top 10
search:
methodcall:
args:
1:
type:
reference:
matches: javax.xml.transform.dom.DOMSource|javax.xml.transform.stax.StAXSource
checkInheritance: false
name: unmarshal
declaration:
type:
reference:
matches: org.springframework.oxm.Unmarshaller|org.springframework.oxm.jaxb.Jaxb2Marshaller
checkInheritance: false
scopes:
library:
name:
contains: org.springframework:spring-core
maxVersion: 4.0.1
availableFixes: []