java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature "http://xml.org/sax/features/external-parameter-entities" to false.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: documentbuilderfactory-external-parameter-entities-true
    severity: ERROR
    metadata:
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      asvs:
        section: V5 Validation, Sanitization and Encoding
        control_id: 5.5.2 Insecue XML Deserialization
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention
        version: "4"
      references:
        - https://semgrep.dev/blog/2022/xml-security-in-java
        - https://semgrep.dev/docs/cheat-sheets/java-xxe/
        - https://blog.sonarsource.com/secure-xml-processor
      category: security
      technology:
        - java
        - xml
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection
    message: External entities are allowed for $DBFACTORY. This is vulnerable to XML
      external entity attacks. Disable this by setting the feature
      "http://xml.org/sax/features/external-parameter-entities" to false.
    pattern: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities",
      true);
    fix: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities",
      false);
    languages:
      - java

Examples

documentbuilderfactory-external-parameter-entities-true.java

package example;

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;


class GoodDocumentBuilderFactory {
    public void GoodXMLInputFactory() throws  ParserConfigurationException {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        //ok:documentbuilderfactory-external-parameter-entities-true
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , false);
    }
}

class BadDocumentBuilderFactory{
    public void BadXMLInputFactory() throws  ParserConfigurationException {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        //ruleid:documentbuilderfactory-external-parameter-entities-true
        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true);
    }
}

class GoodSAXParserFactory {
    public void GoodSAXParserFactory() throws  ParserConfigurationException {
        SAXParserFactory spf = SAXParserFactory.newInstance();
        //ok:documentbuilderfactory-external-parameter-entities-true
        spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , false);
    }
}

class BadSAXParserFactory{
    public void BadSAXParserFactory() throws  ParserConfigurationException {
        SAXParserFactory spf = SAXParserFactory.newInstance();
        //ruleid:documentbuilderfactory-external-parameter-entities-true
        spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true);
    }
}