scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled
semgrepAuthor
unknown
Download Count*
License
XML processor being instantiated without calling the setFeature functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.
Run Locally
Run in CI
Defintion
rules:
- id: sax-dtd-enabled
patterns:
- pattern-either:
- pattern: $SR = new SAXReader(...)
- pattern: |
$SF = SAXParserFactory.newInstance(...)
...
$SR = $SF.newSAXParser(...)
- patterns:
- pattern: $SR = SAXParserFactory.newInstance(...)
- pattern-not-inside: |
...
$X = $SR.newSAXParser(...)
- pattern: $SR = SAXParserFactory.newInstance(...).newSAXParser(...)
- pattern: $SR = new SAXBuilder(...)
- pattern-not-inside: >
...
$SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
...
$SR.setFeature("http://xml.org/sax/features/external-general-entities", false)
...
$SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
- pattern-not-inside: >
...
$SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
...
$SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
...
$SR.setFeature("http://xml.org/sax/features/external-general-entities", false)
- pattern-not-inside: >
...
$SR.setFeature("http://xml.org/sax/features/external-general-entities", false)
...
$SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
...
$SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
- pattern-not-inside: >
...
$SR.setFeature("http://xml.org/sax/features/external-general-entities", false)
...
$SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
...
$SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
message: XML processor being instantiated without calling the `setFeature`
functions that are generally used for disabling entity processing. User
controlled data in XML Parsers can result in XML Internal Entity
Processing vulnerabilities like the disclosure of confidential data,
denial of service, Server Side Request Forgery (SSRF), port scanning. Make
sure to disable entity processing functionality.
languages:
- scala
severity: WARNING
metadata:
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
category: security
technology:
- scala
confidence: HIGH
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
Examples
sax-dtd-enabled.scala
package org.test.test
import java.io.File
import org.dom4j.io.SAXReader
import org.dom4j.{Document}
import javax.xml.parsers.SAXParserFactory
class Foo {
def run1(xmlFilePath:String) = {
val file = new File(xmlFilePath)
// ruleid: sax-dtd-enabled
val saxReader = new SAXReader()
val doc = Try(saxReader.read(file))
val result = doc match {
case Success(r) => r
case Failure(exception) => println("getDocumentExcetion:" + exception.getMessage)
}
result.asInstanceOf[Document]
}
def run2(xmlFilePath:String) = {
val file = new File(xmlFilePath)
// ruleid: sax-dtd-enabled
val factory = SAXParserFactory.newInstance()
val saxReader = factory.newSAXParser()
val doc = Try(saxReader.read(file))
val result = doc match {
case Success(r) => r
case Failure(exception) => println("getDocumentExcetion:" + exception.getMessage)
}
result.asInstanceOf[Document]
}
def run3(xmlFilePath:String) = {
val file = new File(xmlFilePath)
// ruleid: sax-dtd-enabled
val factory = SAXParserFactory.newInstance()
val doc = doSomethingWithFactory(factory)
val result = doc match {
case Success(r) => r
case Failure(exception) => println("getDocumentExcetion:" + exception.getMessage)
}
result.asInstanceOf[Document]
}
def run4(xmlFilePath:String) = {
val file = new File(xmlFilePath)
// ruleid: sax-dtd-enabled
val saxReader = SAXParserFactory.newInstance().newSAXParser()
val doc = Try(saxReader.read(file))
val result = doc match {
case Success(r) => r
case Failure(exception) => println("getDocumentExcetion:" + exception.getMessage)
}
result.asInstanceOf[Document]
}
def okRun1(xmlFilePath:String) = {
val file = new File(xmlFilePath)
// ok: sax-dtd-enabled
val saxReader = new SAXReader()
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false)
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
val doc = Try(saxReader.read(file))
val result = doc match {
case Success(r) => r
case Failure(exception) => println("getDocumentExcetion:" + exception.getMessage)
}
result.asInstanceOf[Document]
}
def okRun2(xmlFilePath:String) = {
val file = new File(xmlFilePath)
// ok: sax-dtd-enabled
val factory = SAXParserFactory.newInstance()
val saxReader = factory.newSAXParser()
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false)
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
val doc = Try(saxReader.read(file))
val result = doc match {
case Success(r) => r
case Failure(exception) => println("getDocumentExcetion:" + exception.getMessage)
}
result.asInstanceOf[Document]
}
}Short Link: https://sg.run/QbYP