scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled
semgrepAuthor
unknown
Download Count*
License
Document Builder being instantiated without calling the setFeature functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.
Run Locally
Run in CI
Defintion
rules:
- id: documentbuilder-dtd-enabled
patterns:
- pattern-either:
- pattern: |
$DF = DocumentBuilderFactory.newInstance(...)
...
$DB = $DF.newDocumentBuilder(...)
- patterns:
- pattern: $DB = DocumentBuilderFactory.newInstance(...)
- pattern-not-inside: |
...
$X = $DB.newDocumentBuilder(...)
- pattern: $DB = DocumentBuilderFactory.newInstance(...).newDocumentBuilder(...)
- pattern-not-inside: >
...
$DB.setXIncludeAware(true)
...
$DB.setNamespaceAware(true)
...
$DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
...
$DB.setFeature("http://xml.org/sax/features/external-general-entities", false)
...
$DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
- pattern-not-inside: >
...
$DB.setXIncludeAware(true)
...
$DB.setNamespaceAware(true)
...
$DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
...
$DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
...
$DB.setFeature("http://xml.org/sax/features/external-general-entities", false)
- pattern-not-inside: >
...
$DB.setXIncludeAware(true)
...
$DB.setNamespaceAware(true)
...
$DB.setFeature("http://xml.org/sax/features/external-general-entities", false)
...
$DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
...
$DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
- pattern-not-inside: >
...
$DB.setXIncludeAware(true)
...
$DB.setNamespaceAware(true)
...
$DB.setFeature("http://xml.org/sax/features/external-general-entities", false)
...
$DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
...
$DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
message: Document Builder being instantiated without calling the `setFeature`
functions that are generally used for disabling entity processing. User
controlled data in XML Document builder can result in XML Internal Entity
Processing vulnerabilities like the disclosure of confidential data,
denial of service, Server Side Request Forgery (SSRF), port scanning. Make
sure to disable entity processing functionality.
languages:
- scala
severity: WARNING
metadata:
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
category: security
technology:
- scala
confidence: HIGH
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
Examples
documentbuilder-dtd-enabled.scala
package org.test.test
import java.io.File
import javax.xml.parsers.DocumentBuilder
import javax.xml.parsers.DocumentBuilderFactory
class Foo {
def run1(file: File) = {
// ruleid: documentbuilder-dtd-enabled
val docBuilderFactory = DocumentBuilderFactory.newInstance()
val docBuilder = docBuilderFactory.newDocumentBuilder()
val doc = docBuilder.parse(file)
doc.getDocumentElement().normalize()
val foobarList = doc.getElementsByTagName("Foobar")
foobarList
}
def run2(file: File) = {
// ruleid: documentbuilder-dtd-enabled
val docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder()
val doc = docBuilder.parse(file)
doc.getDocumentElement().normalize()
val foobarList = doc.getElementsByTagName("Foobar")
foobarList
}
def okRun1(file: File) = {
// ok: documentbuilder-dtd-enabled
val docBuilderFactory = DocumentBuilderFactory.newInstance()
val docBuilder = docBuilderFactory.newDocumentBuilder()
docBuilder.setXIncludeAware(true)
docBuilder.setNamespaceAware(true)
docBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
docBuilder.setFeature("http://xml.org/sax/features/external-general-entities", false)
docBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
val doc = docBuilder.parse(file)
doc.getDocumentElement().normalize()
val foobarList = doc.getElementsByTagName("Foobar")
foobarList
}
def okRun2(file: File) = {
// ok: documentbuilder-dtd-enabled
val docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder()
docBuilder.setXIncludeAware(true)
docBuilder.setNamespaceAware(true)
docBuilder.setFeature("http://xml.org/sax/features/external-general-entities", false)
docBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
docBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
val doc = docBuilder.parse(file)
doc.getDocumentElement().normalize()
val foobarList = doc.getElementsByTagName("Foobar")
foobarList
}
}Short Link: https://sg.run/gRQn