java:S2755 has wrong solution for **TransformerFactory**

SonarQube Server / Community Build
,
1

Hi everyone,

the java:S2755 has wrong solution for TransformerFactory in " How can I fix it in Java SE?" Section, point 3:

// `setAttribute` variant, applicable to:
// - DocumentBuilderFactory
// - TransformerFactory
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

TransformerFactory cannot recognize XMLConstants.ACCESS_EXTERNAL_SCHEMA and fails with the following exception: java.lang.IllegalArgumentException: TransformerFactory does not recognize attribute “http://javax.xml.XMLConstants/property/accessExternalSchema

Proper solution can be found here: XML External Entity Prevention - OWASP Cheat Sheet Series

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
  • SonarQube Version: Community Edition Version 10.3 (build 82913)
  • SonarQube is deployed via Docker
6

Hi @alexander.nikiforov,

The link you provided suggests the same solution.

To protect a javax.xml.transform.TransformerFactory from XXE, do this:

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Am I missing something?

All the best,

Irina

7

Hi Irina,

The Link provides the correct solution with ACCESS_EXTERNAL_STYLESHEET, while in “How can I fix it in Java SE?” ACCESS_EXTERNAL_SCHEMA is provided.

I only suggest that “How can I fix it in Java SE?” section in Sonar Lint documentation is corrected with the proper solution:

image
image938×479 43 KB

8

Ok, I see it. Thank you for pointing out!
Here is a ticket to fix it: [SONARJAVA-4982] - Jira

All the best,

Irina

2 Likes