java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled
Verifed by r2c
Community Favorite
semgrep
Author
98,708
Download Count*
License
XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.
Run Locally
Run in CI
Defintion
rules:
- id: xmlinputfactory-external-entities-enabled
severity: ERROR
metadata:
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
asvs:
section: V5 Validation, Sanitization and Encoding
control_id: 5.5.2 Insecue XML Deserialization
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention
version: "4"
references:
- https://semgrep.dev/blog/2022/xml-security-in-java
- https://semgrep.dev/docs/cheat-sheets/java-xxe/
- https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf
category: security
technology:
- java
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
message: XML external entities are enabled for this XMLInputFactory. This is
vulnerable to XML external entity attacks. Disable external entities by
setting "javax.xml.stream.isSupportingExternalEntities" to false.
patterns:
- pattern-either:
- pattern: (javax.xml.stream.XMLInputFactory
$XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities",
true);
- pattern: (javax.xml.stream.XMLInputFactory
$XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD,
true);
languages:
- java
Examples
xmlinputfactory-external-entities-enabled.java
// cf. https://github.com/oracle/helidon/blob/ab4e308effaa2fe2170a1c312882b2315e66a9af/integrations/cdi/jpa-cdi/src/main/java/io/helidon/integrations/cdi/jpa/JpaExtension.java#L618
package example;
import javax.xml.stream.XMLInputFactory;
import static javax.xml.stream.XMLInputFactory.SUPPORT_DTD;
class GoodXMLInputFactory {
public GoodXMLInputFactory() {
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// See
// https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// ok:xmlinputfactory-external-entities-enabled
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
}
}
class GoodXMLInputFactory1 {
public GoodXMLInputFactory1() {
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// See
// https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser
// ok:xmlinputfactory-external-entities-enabled
xmlInputFactory.setProperty(SUPPORT_DTD, false);
}
}
class BadXMLInputFactory {
public BadXMLInputFactory() {
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// ruleid:xmlinputfactory-external-entities-enabled
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
}
}
class BadXMLInputFactory1 {
public BadXMLInputFactory1() {
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// ruleid:xmlinputfactory-external-entities-enabled
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
}
}
Short Link: https://sg.run/2x75