mobsf.mobsfscan.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled

profile photo of MobSFMobSF
Author
505
Download Count*
GPLv3
License

XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: xmlinputfactory_xxe_enabled
    pattern: $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities",
      true);
    message: >
      XML external entities are enabled for this XMLInputFactory. This is
      vulnerable to XML external entity attacks. Disable external entities by
      setting "javax.xml.stream.isSupportingExternalEntities" to false.
    languages:
      - java
    severity: ERROR
    metadata:
      cwe: cwe-611
      owasp-mobile: m8
      masvs: platform-2
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2
      license: LGPL-3.0-or-later