JAVA.LIB.XML.INSEC_XSLT : Insecure XSLT Execution (Java)

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

A method call to XSL transformation might resolve external URIs.

This checker finds code that parses XML files without turning off the loading and parsing of external entities referenced in the XML files. This can lead to security problems, since such entities might be downloaded from insecure servers or from servers that lead to out of memory or denial of service. As OWASP puts it, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

クラス名

Insecure XSLT Execution (Java)

日本語クラス名

Insecure XSLT Execution (Java)

クラス分類

セキュリティ (security)

ニーモニック

JAVA.LIB.XML.INSEC_XSLT

カテゴリー

CWE	CWE:611	Improper Restriction of XML External Entity Reference
DISA-6r1	DISA-6r1:V-222608	The application must not be vulnerable to XML-oriented attacks.
DISA-5r3	DISA-5r3:V-70269	The application must not be vulnerable to XML-oriented attacks.
DISA-4r3	DISA-4r3:V-70269	The application must not be vulnerable to XML-oriented attacks.

対応言語

Java で利用可能です。

有効/無効設定

このワーニングクラスのチェックはデフォルトで有効になっています。チェックを無効にするにはプロジェクト設定ファイル（configuration file）に以下の WARNING_FILTER ルールを追加してください。

WARNING_FILTER += discard class="Insecure XSLT Execution (Java)"

Turn off the automatic resolution and download of external entities referenced from XML files, before parsing such files. This can be done in different ways, depending on the kind of XML parser that is used. Check here for the correct solution for each kind of parsers.

設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。

JAVA.LIB.XML.INSEC_XSLT : Insecure XSLT Execution (Java)

要旨

プロパティ

解決法

関連のある設定ファイルパラメータ