Recipe Name:
Input Validation: Avoid XXE: Use automatically protected source types
Description:
Could lead to XXE
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • XXE
  • framework specific
  • Spring XML
  • OWASP Top 10
Documentation

Secure coding practices prescribe to pass source implementations that do not require manual parsing to the unmarshaller, i.e. either SAXSource or StreamSource.

There are four possible source implementations passed to the unmarshaller: DOMSource, StAXSource, SAXSource and StreamSource.

Recipe
id: scw:spring:xml:xxe-protected-sources
version: 10
metadata:
  name: 'Input Validation: Avoid XXE: Use automatically protected source types'
  shortDescription: Could lead to XXE
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:xml
  cweCategory: 611
  enabled: true
  descriptionFile: descriptions/Input_Validation__Avoid_XXE__Use_automatically_protected_source_types.html
  tags: Spring;security;XXE;framework specific;Spring XML;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type:
          reference:
            matches: javax.xml.transform.dom.DOMSource|javax.xml.transform.stax.StAXSource
          checkInheritance: false
    name: unmarshal
    declaration:
      type:
        reference:
          matches: org.springframework.oxm.Unmarshaller|org.springframework.oxm.jaxb.Jaxb2Marshaller
        checkInheritance: false
scopes:
  library:
    name:
      contains: org.springframework:spring-core
    maxVersion: 4.0.1
availableFixes: []