scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: xmlinputfactory-dtd-enabled
    patterns:
      - pattern-not-inside: >
          ...

          $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false)
      - pattern-either:
          - pattern: $XMLFACTORY = XMLInputFactory.newFactory(...)
          - pattern: $XMLFACTORY = XMLInputFactory.newInstance(...)
          - pattern: $XMLFACTORY = new XMLInputFactory(...)
    message: XMLInputFactory being instantiated without calling the setProperty
      functions that are generally used for disabling entity processing. User
      controlled data in XML Document builder can result in XML Internal Entity
      Processing vulnerabilities like the disclosure of confidential data,
      denial of service, Server Side Request Forgery (SSRF), port scanning. Make
      sure to disable entity processing functionality.
    languages:
      - scala
    severity: WARNING
    metadata:
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
      category: security
      technology:
        - scala
      confidence: HIGH
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection

Examples

xmlinputfactory-dtd-enabled.scala

package org.test.test

import java.io.{File, FileReader}
import javax.xml.stream.XMLInputFactory

class Foo {

  def run1(file: String) = {
    // ruleid: xmlinputfactory-dtd-enabled
    val factory = XMLInputFactory.newInstance()
    val fileReader = new FileReader(file)
    val xmlReader = factory.createXMLStreamReader(fileReader)
    doSmth(xmlReader)
  }

  def run2(file: String) = {
    // ruleid: xmlinputfactory-dtd-enabled
    val factory = XMLInputFactory.newFactory()
    val fileReader = new FileReader(file)
    val xmlReader = factory.createXMLStreamReader(fileReader)
    doSmth(xmlReader)
  }

  def okRun1(file: String) = {
    // ok: xmlinputfactory-dtd-enabled
    val factory = XMLInputFactory.newInstance
    factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false)
    val fileReader = new FileReader(file)
    val xmlReader = factory.createXMLStreamReader(fileReader)
    doSmth(xmlReader)
  }

  def okRun2(file: String) = {
    // ok: xmlinputfactory-dtd-enabled
    val factory = XMLInputFactory.newFactory()
    factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false)
    val fileReader = new FileReader(file)
    val xmlReader = factory.createXMLStreamReader(fileReader)
    doSmth(xmlReader)
  }

}