JAVA.LIB.XML.INSEC_XSLT : Insecure XSLT Execution (Java)

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

A method call to XSL transformation might resolve external URIs.

This checker finds code that parses XML files without turning off the loading and parsing of external entities referenced in the XML files. This can lead to security problems, since such entities might be downloaded from insecure servers or from servers that lead to out of memory or denial of service. As OWASP puts it, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Class Name

Insecure XSLT Execution (Java)

Significance

security

Mnemonic

JAVA.LIB.XML.INSEC_XSLT

Categories

CWE	CWE:611	Improper Restriction of XML External Entity Reference
DISA-6r1	DISA-6r1:V-222608	The application must not be vulnerable to XML-oriented attacks.
DISA-5r3	DISA-5r3:V-70269	The application must not be vulnerable to XML-oriented attacks.
DISA-4r3	DISA-4r3:V-70269	The application must not be vulnerable to XML-oriented attacks.

Availability

Available for Java only.

Enabling

Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file.

WARNING_FILTER += discard class="Insecure XSLT Execution (Java)"

Turn off the automatic resolution and download of external entities referenced from XML files, before parsing such files. This can be done in different ways, depending on the kind of XML parser that is used. Check here for the correct solution for each kind of parsers.

The following configuration file parameters affect checks for this warning class.

JAVA.LIB.XML.INSEC_XSLT : Insecure XSLT Execution (Java)

Summary

Properties

Resolution

Relevant Configuration File Parameters