java:S2755 proposed compliant solution does not work

Hi

I followed the steps proposed by

to fix violation
XML parsers should not be vulnerable to XXE attacks java:S2755

However the fix works for DocumentBuilderFactory, but not for SchemaFactory in the following code:

	protected static final String DISALLOW_DOCTYE = "http://apache.org/xml/features/disallow-doctype-decl";

    public static DocumentBuilderFactory createDocumentBuilderFactory() {
        try {
            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
            factory.setFeature(DISALLOW_DOCTYE, true);
            return factory;
        } catch (ParserConfigurationException e) {
            throw new IllegalArgumentException(e);
        }
    }

    public static SchemaFactory createSchemaFactory(String schemaLanguage) {
        try {
            SchemaFactory factory = SchemaFactory.newInstance(schemaLanguage);
            factory.setFeature(DISALLOW_DOCTYE, true);
            return factory;
        } catch (SAXNotRecognizedException | SAXNotSupportedException e) {
            throw new IllegalArgumentException(e);
        }
    }

Any idea why this does not work? Is the proposed compliant solution correct?

We’re using Enterprise EditionVersion 9.9.1 (build 69595).
Thanks

Hi Thomas,

Thanks for the report! It seems this rule is outdated on our site. I will create internal hardening tickets to improve this.

I would recommend to add the following line as well:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Please mark it as a false positive for now as it will take a little bit until a fix is available, thanks!

1 Like