Details
-
Type:
False-Positive
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 7.8
-
Component/s: Symbolic Execution
-
Labels:None
Description
When using DocumentBuilderFactory/DocumentBuilder, if the XXE is mitigated on the Factory in one class, but then used in another, we will still report an issue despite the fact that this is a correct protection.
Class XxeA:
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; public class XxeA { public static DocumentBuilderFactory getDocumentBuilderFactory() { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); try { dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); } catch (ParserConfigurationException ex) { throw new IllegalArgumentException(); } return dbf; } }
Class XxeB:
import java.io.File; import java.io.IOException; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.xml.sax.SAXException; public class XxeB { private DocumentBuilder foo() throws ParserConfigurationException, IOException, SAXException { DocumentBuilderFactory dbf = XxeA.getDocumentBuilderFactory(); DocumentBuilder db = dbf.newDocumentBuilder(); // FP here, correctly secured. db.parse(new File("")); return db; } }
Another way to reproduce the error is to have an incomplete code:
private DocumentBuilder foo() throws ParserConfigurationException, IOException, SAXException { DocumentBuilderFactory dbf = unkown(); DocumentBuilder db = dbf.newDocumentBuilder(); db.parse(new File("")); return db; }
Attachments
Issue Links
- relates to
-
RSPEC-2755 XML parsers should not be vulnerable to XXE attacks
- Active
- links to
