Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3842

FP in S2755 when vulnerability is mitigated in another class

    XMLWordPrintable

    Details

    • Type: False-Positive
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.8
    • Component/s: Symbolic Execution
    • Labels:
      None

      Description

      When using DocumentBuilderFactory/DocumentBuilder, if the XXE is mitigated on the Factory in one class, but then used in another, we will still report an issue despite the fact that this is a correct protection.

      Class XxeA:

      import javax.xml.parsers.DocumentBuilderFactory;
      import javax.xml.parsers.ParserConfigurationException;
      
      public class XxeA {
        public static DocumentBuilderFactory getDocumentBuilderFactory() {
          DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
          try {
            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
          } catch (ParserConfigurationException ex) {
            throw new IllegalArgumentException();
          }
          return dbf;
        }
      }
      

      Class XxeB:

      import java.io.File;
      import java.io.IOException;
      import javax.xml.parsers.DocumentBuilder;
      import javax.xml.parsers.DocumentBuilderFactory;
      import javax.xml.parsers.ParserConfigurationException;
      import org.xml.sax.SAXException;
      
      public class XxeB {
        private DocumentBuilder foo() throws ParserConfigurationException, IOException, SAXException {
          DocumentBuilderFactory dbf = XxeA.getDocumentBuilderFactory();
          DocumentBuilder db = dbf.newDocumentBuilder(); // FP here, correctly secured.
          db.parse(new File(""));
          return db;
        }
      }
      

      Another way to reproduce the error is to have an incomplete code:

        private DocumentBuilder foo() throws ParserConfigurationException, IOException, SAXException {
          DocumentBuilderFactory dbf = unkown();
          DocumentBuilder db = dbf.newDocumentBuilder();
          db.parse(new File(""));
          return db;
        }
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              quentin.jaquier Quentin Jaquier
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: