mobsf.mobsfscan.xmlfactory_xxe.xmlinputfactory_xxe

MobSF

Author

505

Download Count*

License

XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: xmlinputfactory_xxe
    patterns:
      - pattern-not-inside: >
          $RETURNTYPE $METHOD(...) {
            ...
            $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
            ...
          }
      - pattern-not-inside: >
          $RETURNTYPE $METHOD(...) {
            ...
            $XMLFACTORY.setProperty(java.xml.stream.XMLFactoryInput.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
            ...
          }
      - pattern-either:
          - pattern: $XMLFACTORY = $W.newFactory(...);
          - pattern: $XMLFACTORY = new XMLInputFactory(...);
    message: >
      XML external entities are not explicitly disabled for this
      XMLInputFactory. This could be vulnerable to XML external entity
      vulnerabilities. Explicitly disable external entities by setting
      "javax.xml.stream.isSupportingExternalEntities" to false.
    severity: ERROR
    languages:
      - java
    metadata:
      cwe: cwe-611
      owasp-mobile: m8
      masvs: platform-2
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2
      license: LGPL-3.0-or-later

Short Link: https://sg.run/Awj8