java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature "http://apache.org/xml/features/disallow-doctype-decl" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features "http://xml.org/sax/features/external-general-entities" and "http://xml.org/sax/features/external-parameter-entities" to false.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: documentbuilderfactory-disallow-doctype-decl-false
    severity: ERROR
    metadata:
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      asvs:
        section: V5 Validation, Sanitization and Encoding
        control_id: 5.5.2 Insecue XML Deserialization
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention
        version: "4"
      references:
        - https://semgrep.dev/blog/2022/xml-security-in-java
        - https://semgrep.dev/docs/cheat-sheets/java-xxe/
        - https://blog.sonarsource.com/secure-xml-processor
        - https://xerces.apache.org/xerces2-j/features.html
      category: security
      technology:
        - java
        - xml
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection
    message: DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting
      external entity declarations, this is vulnerable to XML external entity
      attacks. Disable this by setting the feature
      "http://apache.org/xml/features/disallow-doctype-decl" to true.
      Alternatively, allow DOCTYPE declarations and only prohibit external
      entities declarations. This can be done by setting the features
      "http://xml.org/sax/features/external-general-entities" and
      "http://xml.org/sax/features/external-parameter-entities" to false.
    patterns:
      - pattern: $DBFACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl",
          false);
      - pattern-not-inside: >
          $RETURNTYPE $METHOD(...){
            ...
            $DBF.setFeature("http://xml.org/sax/features/external-general-entities", false);
            ...
            $DBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            ...
          }
      - pattern-not-inside: >
          $RETURNTYPE $METHOD(...){
            ...
            $DBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            ...
            $DBF.setFeature("http://xml.org/sax/features/external-general-entities", false);
            ...
          }
      - pattern-not-inside: |
          $RETURNTYPE $METHOD(...){
            ...
            $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
            ...
            $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
            ...
          }
      - pattern-not-inside: |
          $RETURNTYPE $METHOD(...){
            ...
            $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
            ...
            $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
            ...
          }
    languages:
      - java

Examples

documentbuilderfactory-disallow-doctype-decl-false.java

package example;

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;


class GoodDocumentBuilderFactory {
    public void GoodXMLInputFactory() throws  ParserConfigurationException {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        //ok:documentbuilderfactory-disallow-doctype-decl-false
        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    }

    public void GoodXMLInputFactory2() throws  ParserConfigurationException {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        //ok:documentbuilderfactory-disallow-doctype-decl-false
        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    }

    public void GoodXMLInputFactory3() throws  ParserConfigurationException {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        //ok:documentbuilderfactory-disallow-doctype-decl-false
        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
    }

    public void GoodXMLInputFactory4() throws  ParserConfigurationException {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        //ok:documentbuilderfactory-disallow-doctype-decl-false
        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    }

    public void GoodXMLInputFactory4() throws  ParserConfigurationException {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        //ok:documentbuilderfactory-disallow-doctype-decl-false
        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
    }

    public void GoodSAXParserFactory() throws  ParserConfigurationException {
        SAXParserFactory spf = SAXParserFactory.newInstance();
        //ok:documentbuilderfactory-disallow-doctype-decl-false
        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    }

}

class BadDocumentBuilderFactory{
    public void BadXMLInputFactory() throws  ParserConfigurationException {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        //ruleid:documentbuilderfactory-disallow-doctype-decl-false
        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
        //fix:documentbuilderfactory-disallow-doctype-decl-false
        //dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    }
}

class BadSAXParserFactory{
    public void BadSAXParserFactory() throws  ParserConfigurationException {
        SAXParserFactory spf = SAXParserFactory.newInstance();
        //ruleid:documentbuilderfactory-disallow-doctype-decl-false
        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
        //fix:documentbuilderfactory-disallow-doctype-decl-false
        //spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    }
}