Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Secure this "Transformer" by either disabling external DTDs or enabling secure processing.
    • Highlighting:
      Hide

      Transformer instance creation

      Show
      Transformer instance creation
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-611
    • OWASP:
      A4
    • FindSecBugs:
      XXE_DTD_TRANSFORM_FACTORY, XXE_XSLT_TRANSFORM_FACTORY

      Description

      An XML External Entity or XSLT External Entity (XXE) vulnerability can occur when a javax.xml.transform.Transformer is created without enabling "Secure Processing" or when one is created without disabling resolving of both external DTDs and DTD entities. If that external data is being controlled by an attacker it may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

      This rule raises an issue when a Transformer is created without either of these settings.

      Noncompliant Code Example

      Transformer transformer = TransformerFactory.newInstance().newTransformer();
      transformer.transform(input, result);
      

      Compliant Solution

      TransformerFactory factory = TransformerFactory.newInstance();
      factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
      
      Transformer transformer = factory.newTransformer();
      
      transformer.transform(input, result);
      

      or

      TransformerFactory factory = TransformerFactory.newInstance();
      factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
      factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
      
      Transformer transformer = factory.newTransformer();
      
      transformer.transform(input, result);
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jeanchristophe.collet Jean-Christophe Collet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: