False negative XXE rule for SchemaFactory (java:S2755)

Hello everyone,

I would like to report a false negative detection we got on a Java code project with our SonarQube developer instance (8.9.7.52159). I will really appreciate if someone can take a look.

Rule : XML parsers should not be vulnerable to XXE attacks (java:S2755).

Snippet :

private DummyDocumentType getDummyDocumentType(String xmlEventIn) throws JAXBException, SAXException {
  DummyDocumentType dummyDocumentType;
  try {
    final JAXBContext jaxbContext = JAXBContext.newInstance(DummyDocumentType.class);
    Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
    SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
    Schema schema = schemaFactory.newSchema(resourceToString(SRC_MAIN_RESOURCES_XSD_EPCGLOBAL_EPCIS_1_2_XSD));
    unmarshaller.setSchema(schema);
    dummyDocumentType = unmarshaller.unmarshal(new StreamSource(new StringReader(xmlEventIn)), DummyDocumentType.class).getValue();

  } catch (SAXException | JAXBException e) {
    log.error("Error parsing XML with XSD Exception : {}", e);
    throw e;
  }
  return dummyDocumentType;
}

private URL resourceToString(String filePath) {
  return this.getClass().getClassLoader().getResource(filePath);
}

Don’t hesitate if you need more info.
Thibault

Hey @S0obi ,

Thanks for the report and your long patience! It indeed seems to me like a False Negative from our implementation of S2755.

I created the following ticket to tackle it: SONARJAVA-4577

Cheers,
Michael

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.