java:S2755 Mitigating XXE vulnerability in a utility method and returning DocumentBuilderFactory is not recognized

Hi,

ClassA:

public static DocumentBuilderFactory getDocumentBuilderFactory() {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        try {
            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        } catch (ParserConfigurationException ex) {
            throw locate(internalError(ex));
        }
        return dbf;
    }

ClassB:

DocumentBuilderFactory dbf = ClassA.getDocumentBuilderFactory();
            DocumentBuilder db = dbf.newDocumentBuilder();

In ClassB, dbf.newDocumentBuilder(); is flagged for XXE vulnerability although the threat is mitigated in the method that returns the factory.

SonarQube Enterprise Edition
Version 8.8 (build 42792)

Hello @JSamir

Indeed, this is not the expected behavior, your code looks good to me.

Ticket created: SONARJAVA-3842.

Thanks for reporting this issue and providing a reproducer.

Best,
Quentin

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.