java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled
Verifed by r2c
Community Favorite

Author
98,708
Download Count*
License
XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.
Run Locally
Run in CI
Defintion
rules:
- id: xmlinputfactory-external-entities-enabled
severity: ERROR
metadata:
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
asvs:
section: V5 Validation, Sanitization and Encoding
control_id: 5.5.2 Insecue XML Deserialization
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention
version: "4"
references:
- https://semgrep.dev/blog/2022/xml-security-in-java
- https://semgrep.dev/docs/cheat-sheets/java-xxe/
- https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf
category: security
technology:
- java
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
message: XML external entities are enabled for this XMLInputFactory. This is
vulnerable to XML external entity attacks. Disable external entities by
setting "javax.xml.stream.isSupportingExternalEntities" to false.
pattern: $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities",
true);
languages:
- java
Examples
xmlinputfactory-external-entities-enabled.java
// cf. https://github.com/oracle/helidon/blob/ab4e308effaa2fe2170a1c312882b2315e66a9af/integrations/cdi/jpa-cdi/src/main/java/io/helidon/integrations/cdi/jpa/JpaExtension.java#L618
package example;
import javax.xml.stream.XMLInputFactory;
class GoodXMLInputFactory {
public GoodXMLInputFactory() {
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// See
// https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// ok:xmlinputfactory-external-entities-enabled
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
}
}
class BadXMLInputFactory {
public BadXMLInputFactory() {
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// ruleid:xmlinputfactory-external-entities-enabled
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
}
}
Short Link: https://sg.run/2x75