I got a false-positive on OpenSAMLs DocumentBuilder.
SonarQube 8.9.1 LTS
FindBugs 4.0.2
Rule: findsecbugs:XXE_DOCUMENT
description: Security - XML parsing vulnerable to XXE (DocumentBuilder)
Libs:
org.opensaml:opensaml-core:3.4.5
net.shibboleth.utilities:java-support:7.5.1
my code:
import static org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getParserPool;
protected Object resolveRequestPayloadArgument(MethodParameter parameter, Source requestPayload) throws Exception {
InputSource inputPayloadSource = sourceToInputSource(requestPayload);
Document payloadDocument = getParserPool().getBuilder().parse(inputPayloadSource);
Element messageElem = payloadDocument.getDocumentElement();
...
}
Edit:
it triggers on the code line:
Document payloadDocument = getParserPool().getBuilder().parse(inputPayloadSource);
As you can see, I don’t create the DocumentBuilder, but use the OpenSAML’s lib to create one for me.
This lib returns a secured builder by default.
Maybe the scanning logic could be made a bit smarter into not triggering on this code?
ganncamp
(G Ann Campbell)
August 16, 2021, 3:58pm
2
Hi,
Welcome to the community!
We appreciate your reporting this. Unfortunately, we’re not responsible for FindBugs. You’ll need to report this to the current maintainers. I suggest you open an issue on that project .
Â
Ann
Thanks for the reply.
SonarQube (the program) asked me to file an issue, so I did.
I see it is an FindBugSec rule, so I also posted this false positive at their issue tracking:
opened 09:15AM - 13 Aug 21 UTC
I got a false-positive on OpenSAMLs DocumentBuilder.
## Environment
| Comp… onent | Version |
| ------------------ | ------- |
| SonarQube | 8.9.1 LTS |
| FindBugs | 4.0.2 |
Libs:
org.opensaml:opensaml-core:3.4.5
net.shibboleth.utilities:java-support:7.5.1
## Problem
My code triggers
Rule: findsecbugs:XXE_DOCUMENT
description: Security - XML parsing vulnerable to XXE (DocumentBuilder)
on OpenSAMLs DocumentBuilder
## Code
```java
import static org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getParserPool;
protected Object resolveRequestPayloadArgument(MethodParameter parameter, Source requestPayload) throws Exception {
InputSource inputPayloadSource = sourceToInputSource(requestPayload);
Document payloadDocument = getParserPool().getBuilder().parse(inputPayloadSource);
Element messageElem = payloadDocument.getDocumentElement();
...
}
```
It triggers on the code line
```
Document payloadDocument = getParserPool().getBuilder().parse(inputPayloadSource);
```
As you can see, I don’t create the DocumentBuilder, but use the OpenSAML’s lib to create one for me.
This lib returns a secured builder by default.
Maybe the scanning logic could be made a bit smarter into not triggering on this code?
1 Like