java.lang.security.audit.xml-decoder.xml-decoder
Community Favorite
semgrep
Author
73,396
Download Count*
License
XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.
Run Locally
Run in CI
Defintion
rules:
- id: xml-decoder
message: XMLDecoder should not be used to parse untrusted data. Deserializing
user input can lead to arbitrary code execution. Use an alternative and
explicitly disable external entities. See
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
for alternatives and vulnerability prevention.
metadata:
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XML_DECODER
references:
- https://semgrep.dev/blog/2022/xml-security-in-java
- https://semgrep.dev/docs/cheat-sheets/java-xxe/
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
category: security
technology:
- java
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
severity: WARNING
languages:
- java
patterns:
- pattern: |
$X $METHOD(...) {
...
new XMLDecoder(...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
new XMLDecoder("...");
...
}
- pattern-not: |-
$X $METHOD(...) {
...
String $STR = "...";
...
new XMLDecoder($STR);
...
}
Examples
xml-decoder.java
package testcode.xmldecoder;
import java.beans.XMLDecoder;
import java.io.InputStream;
public class XmlDecodeUtil {
public static void main(String[] args) {
InputStream in = XmlDecodeUtil.class.getResourceAsStream("/testcode/xmldecoder/obj1.xml");
XmlDecodeUtil.handleXml(in);
}
// ruleid: xml-decoder
public static Object handleXml(InputStream in) {
XMLDecoder d = new XMLDecoder(in);
try {
Object result = d.readObject(); //Deserialization happen here
return result;
}
finally {
d.close();
}
}
// ok: xml-decoder
public static Object handleXml1() {
XMLDecoder d = new XMLDecoder("<safe>XML</safe>");
try {
Object result = d.readObject();
return result;
}
finally {
d.close();
}
}
// ok: xml-decoder
public static Object handleXml2() {
String strXml = "<safe>XML</safe>";
XMLDecoder d = new XMLDecoder(strXml);
try {
Object result = d.readObject();
return result;
}
finally {
d.close();
}
}
}
Short Link: https://sg.run/PJjq