mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe
MobSF
Author
unknown
Download Count*
License
XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false.
Run Locally
Run in CI
Defintion
rules:
- id: xmlinputfactory_xxe
patterns:
- pattern-not-inside: >
$RETURNTYPE $METHOD(...) {
...
$XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
...
}
- pattern-not-inside: >
$RETURNTYPE $METHOD(...) {
...
$XMLFACTORY.setProperty(java.xml.stream.XMLFactoryInput.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
...
}
- pattern-either:
- pattern: $XMLFACTORY = $W.newFactory(...);
- pattern: $XMLFACTORY = new XMLInputFactory(...);
message: >
XML external entities are not explicitly disabled for this
XMLInputFactory. This could be vulnerable to XML external entity
vulnerabilities. Explicitly disable external entities by setting
"javax.xml.stream.isSupportingExternalEntities" to false.
severity: ERROR
languages:
- java
metadata:
cwe: cwe-611
owasp-mobile: m8
masvs: platform-2
reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2
license: LGPL-3.0-or-later
vulnerability_class:
- Other
Short Link: https://sg.run/KzZ7