JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
A method call might perform an unrestricted XML external entity reference.
This checker finds code that parses XML files without turning off the loading and parsing of external entities referenced in the XML files. This can lead to security problems, since such entities might be downloaded from insecure servers or from servers that lead to out of memory or denial of service. As OWASP puts it, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
| Class Name | Possible XML External Entity Reference (Java) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | ||||||||||||||||||
| Mnemonic | JAVA.LIB.XML.XXE | ||||||||||||||||||
| Categories |
|
||||||||||||||||||
| Availability | Available for Java only. |
||||||||||||||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="Possible XML External Entity Reference (Java)" |
Japanese (ja)
public class XxeAttacks {
public @EntryPoint void test1a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
db.parse(is); // "Possible XML External Entity Reference (Java)" warning issued here
}
public @EntryPoint void test2a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true); // disallow-doctype-decl set
DocumentBuilder db = dbf.newDocumentBuilder();
db.parse(is); // ok because disallow-doctype-decl is set
}
public @EntryPoint void test3a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
dbf.setFeature(FEATURE, false); // disallow-doctype-decl reset to false
DocumentBuilder db = dbf.newDocumentBuilder();
db.parse(is); // "Possible XML External Entity Reference (Java)" warning issued here
}
public @EntryPoint void test4a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
dbf.setFeature("completely irrelevant", false);
DocumentBuilder db = dbf.newDocumentBuilder();
db.parse(is);
}
public @EntryPoint void test5a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
if (System.currentTimeMillis() % 2 == 0)
dbf.setFeature(FEATURE, true); // disallow-doctype-decl is set, but not for all executions
DocumentBuilder db = dbf.newDocumentBuilder();
db.parse(is); // "Possible XML External Entity Reference (Java)" warning issued here
}
}
To resolve the warnings, the programmer ensure that disallow-doctype-decl is always set to true, on every execution path, before parsing the XML file.
Turn off the automatic resolution and download of external entities referenced from XML files, before parsing such files. This can be done in different ways, depending on the kind of XML parser that is used. Check here for the correct solution for each kind of parsers.
The following configuration file parameters affect checks for this warning class.