contrib.owasp.java.xxe.saxparserfactory.owasp.java.xxe.javax.xml.parsers.SAXParserFactory
returntocorpAuthor
164
Download Count*
License
SAXParserFactory being instantiated without calling the setFeature functions that are generally used for disabling entity processing
Run Locally
Run in CI
Defintion
rules:
- id: owasp.java.xxe.javax.xml.parsers.SAXParserFactory
message: SAXParserFactory being instantiated without calling the setFeature
functions that are generally used for disabling entity processing
metadata:
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
category: security
references:
- https://www.programcreek.com/java-api-examples/?api=javax.xml.parsers.SAXParserFactory
- https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
technology:
- javax
- xml
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
severity: ERROR
patterns:
- pattern-either:
- pattern: |
SAXParserFactory $SPF = ... ;
...
SAXParser $SAXPARSER = $SPF.newSAXParser();
...
$SAXPARSER.parse(...);
- pattern: SAXParserFactory $SPF = SAXParserFactory.newInstance();
- pattern: SAXParser $SAXPARSER = SAXParserFactory.newInstance().newSAXParser();
- pattern-not-inside: >
$RETURNTYPE $METHOD(...) {
...
$SPF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
...
}
- pattern-not-inside: >
SAXParserFactory $SPF = ... ;
...
$SPF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
languages:
- java
Examples
saxparserfactory.java
package org.joychou.controller;
import org.dom4j.DocumentHelper;
import org.dom4j.io.SAXReader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.helpers.XMLReaderFactory;
import org.xml.sax.XMLReader;
import java.io.*;
import org.xml.sax.InputSource;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.parsers.SAXParser;
import org.xml.sax.helpers.DefaultHandler;
import org.apache.commons.digester3.Digester;
import org.jdom2.input.SAXBuilder;
import org.joychou.util.WebUtils;
/**
* Java xxe vuln and security code.
*
* @author JoyChou @2017-12-22
*/
@RestController
@RequestMapping("/xxe")
public class XXE {
private static Logger logger = LoggerFactory.getLogger(XXE.class);
private static String EXCEPT = "xxe except";
@RequestMapping(value = "/SAXParser/vuln", method = RequestMethod.POST)
public String SAXParserVuln(HttpServletRequest request) {
try {
String body = WebUtils.getRequestBody(request);
logger.info(body);
// ruleid:owasp.java.xxe.javax.xml.parsers.SAXParserFactory
SAXParserFactory spf = SAXParserFactory.newInstance();
SAXParser parser = spf.newSAXParser();
parser.parse(new InputSource(new StringReader(body)), new DefaultHandler()); // parse xml
return "SAXParser xxe vuln code";
} catch (Exception e) {
logger.error(e.toString());
return EXCEPT;
}
}
@RequestMapping(value = "/SAXParser/sec", method = RequestMethod.POST)
public String SAXParserSec(HttpServletRequest request) {
try {
String body = WebUtils.getRequestBody(request);
logger.info(body);
// ok:owasp.java.xxe.javax.xml.parsers.SAXParserFactory
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
SAXParser parser = spf.newSAXParser();
parser.parse(new InputSource(new StringReader(body)), new DefaultHandler()); // parse xml
} catch (Exception e) {
logger.error(e.toString());
return EXCEPT;
}
return "SAXParser xxe security code";
}
public static void main(String[] args) {
}
}
Short Link: https://sg.run/3xJG