Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2755

Untrusted XML should be parsed without resolving external data

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Disable resolving of external data while processing XML documents.
    • Highlighting:
      Hide

      Java: Instantiation of the XMLInputFactory or SAXParserFactory or XMLReader or DocumentBuilderFactory object

      Show
      Java: Instantiation of the XMLInputFactory or SAXParserFactory or XMLReader or DocumentBuilderFactory object
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, Objective-C, PHP
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      C#
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-611, CWE-827
    • OWASP:
      A4
    • FindSecBugs:
      XXE_XMLSTREAMREADER, XXE_SAXPARSER, XXE_XMLREADER, XXE_DOCUMENT
    • MSFT Roslyn:
      CA3075

      Description

      Allowing external DTD entities in untrusted documents to be processed could lay your systems bare to attackers. Imagine if these entities were parsed:

      <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
      <!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt" >]><foo>&xxe;</foo>
      

      If you must parse untrusted XML, the best way to protect yourself is to only accept an embedded DTD or, even better, completely ignore any DTD declared in the document.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-2756 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: