java.lang.security.audit.xml-decoder.xml-decoder

Community Favorite
profile photo of semgrepsemgrep
Author
73,396
Download Count*
LGPL Commons Clause
License

XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: xml-decoder
    message: XMLDecoder should not be used to parse untrusted data. Deserializing
      user input can lead to arbitrary code execution. Use an alternative and
      explicitly disable external entities. See
      https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
      for alternatives and vulnerability prevention.
    metadata:
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XML_DECODER
      references:
        - https://semgrep.dev/blog/2022/xml-security-in-java
        - https://semgrep.dev/docs/cheat-sheets/java-xxe/
        - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
      category: security
      technology:
        - java
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection
    severity: WARNING
    languages:
      - java
    patterns:
      - pattern: |
          $X $METHOD(...) {
            ...
            new XMLDecoder(...);
            ...
          }
      - pattern-not: |
          $X $METHOD(...) {
            ...
            new XMLDecoder("...");
            ...
          }
      - pattern-not: |-
          $X $METHOD(...) {
            ...
            String $STR = "...";
            ...
            new XMLDecoder($STR);
            ...
          }

Examples

xml-decoder.java

package testcode.xmldecoder;

import java.beans.XMLDecoder;
import java.io.InputStream;

public class XmlDecodeUtil {

    public static void main(String[] args) {
        InputStream in = XmlDecodeUtil.class.getResourceAsStream("/testcode/xmldecoder/obj1.xml");
        XmlDecodeUtil.handleXml(in);
    }

    // ruleid: xml-decoder
    public static Object handleXml(InputStream in) {
        XMLDecoder d = new XMLDecoder(in);
        try {
            Object result = d.readObject(); //Deserialization happen here
            return result;
        }
        finally {
            d.close();
        }
    }

    // ok: xml-decoder
    public static Object handleXml1() {
        XMLDecoder d = new XMLDecoder("<safe>XML</safe>");
        try {
            Object result = d.readObject();
            return result;
        }
        finally {
            d.close();
        }
    }

    // ok: xml-decoder
    public static Object handleXml2() {
        String strXml = "<safe>XML</safe>";
        XMLDecoder d = new XMLDecoder(strXml);
        try {
            Object result = d.readObject();
            return result;
        }
        finally {
            d.close();
        }
    }

}