Disable XML external entity (XXE) processing

aehanno · December 16, 2019, 2:33pm

I have a vulnerability and I try to fix it like that :

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setProperty(DocumentBuilderFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
documentBuilderFactory.setProperty(DocumentBuilderFactory.SUPPORT_DTD, Boolean.FALSE); 

try {
	String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
	documentBuilderFactory.setFeature(FEATURE, true);

	FEATURE = "http://xml.org/sax/features/external-general-entities";
	documentBuilderFactory.setFeature(FEATURE, false);
  
	FEATURE = "http://xml.org/sax/features/external-parameter-entities";
	documentBuilderFactory.setFeature(FEATURE, false);

	FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
	documentBuilderFactory.setFeature(FEATURE, false);
} catch (ParserConfigurationException e) {
	throw new RuntimeException("failed to instanciate documentBuilderFactory", e);
}

documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setExpandEntityReferences(false);

return documentBuilderFactory;

As follow indication in sonarQube

But it doesn’t know “IS_SUPPORTING_EXTERNAL_ENTITIES” and " SUPPORT_DTD" for DocumentBuilderFactory.

How I can fix this vulnaribilty in sonarQube ?
Thanks

Quentin · May 25, 2020, 3:20pm

I just stumble into this topic, I know it’s an old one, but I want to add that we reworked completely this rule, both the description and the implementation. I invite anybody facing issues with this rule to test with a version of the Java Analyzer (>= 6.2), and read the latest description.

If something is still not clear, feel free to get back to us with more information on what needs clarification.

Best,
Quentin