java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe
Community Favorite
semgrep
Author
50,751
Download Count*
License
XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.
Run Locally
Run in CI
Defintion
rules:
- id: xmlinputfactory-possible-xxe
severity: WARNING
metadata:
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
asvs:
section: V5 Validation, Sanitization and Encoding
control_id: 5.5.2 Insecue XML Deserialization
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention
version: "4"
references:
- https://semgrep.dev/blog/2022/xml-security-in-java
- https://semgrep.dev/docs/cheat-sheets/java-xxe/
- https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser
category: security
technology:
- java
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
message: XML external entities are not explicitly disabled for this
XMLInputFactory. This could be vulnerable to XML external entity
vulnerabilities. Explicitly disable external entities by setting
"javax.xml.stream.isSupportingExternalEntities" to false.
patterns:
- pattern-not-inside: >
$RETURNTYPE $METHOD(...) {
...
$XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
...
}
- pattern-not-inside: >
$RETURNTYPE $METHOD(...) {
...
$XMLFACTORY.setProperty(java.xml.stream.XMLFactoryInput.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
...
}
- pattern-either:
- pattern: $XMLFACTORY = $W.newFactory(...);
- pattern: $XMLFACTORY = new XMLInputFactory(...);
languages:
- java
Examples
xmlinputfactory-possible-xxe.java
// cf. https://github.com/oracle/helidon/blob/ab4e308effaa2fe2170a1c312882b2315e66a9af/integrations/cdi/jpa-cdi/src/main/java/io/helidon/integrations/cdi/jpa/JpaExtension.java#L618
package example;
import javax.xml.stream.XMLInputFactory;
import static java.xml.stream.XMLFactoryInput.IS_SUPPORTING_EXTERNAL_ENTITIES;
class GoodXMLInputFactory {
public void Blah() {
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// See
// https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// ok
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
}
}
class GoodConstXMLInputFactory {
public void Blah() {
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
// See
// https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// ok
xmlInputFactory.setProperty(IS_SUPPORTING_EXTERNAL_ENTITIES, false);
}
}
class BadXMLInputFactory {
public Blah() {
// ruleid:xmlinputfactory-possible-xxe
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
}
}
class MaybeBadXMLInputFactory {
public Blah() {
// ruleid:xmlinputfactory-possible-xxe
final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
}
}
Short Link: https://sg.run/XBwA