java:S2755 proposed compliant solution does not work

Rules and Languages Report False-positive / False-negative...
1

Hi

I followed the steps proposed by

to fix violation
XML parsers should not be vulnerable to XXE attacks java:S2755

However the fix works for DocumentBuilderFactory, but not for SchemaFactory in the following code:

	protected static final String DISALLOW_DOCTYE = "http://apache.org/xml/features/disallow-doctype-decl";

    public static DocumentBuilderFactory createDocumentBuilderFactory() {
        try {
            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
            factory.setFeature(DISALLOW_DOCTYE, true);
            return factory;
        } catch (ParserConfigurationException e) {
            throw new IllegalArgumentException(e);
        }
    }

    public static SchemaFactory createSchemaFactory(String schemaLanguage) {
        try {
            SchemaFactory factory = SchemaFactory.newInstance(schemaLanguage);
            factory.setFeature(DISALLOW_DOCTYE, true);
            return factory;
        } catch (SAXNotRecognizedException | SAXNotSupportedException e) {
            throw new IllegalArgumentException(e);
        }
    }

Any idea why this does not work? Is the proposed compliant solution correct?

We’re using Enterprise EditionVersion 9.9.1 (build 69595).
Thanks

7

Hi Thomas,

Thanks for the report! It seems this rule is outdated on our site. I will create internal hardening tickets to improve this.

I would recommend to add the following line as well:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Please mark it as a false positive for now as it will take a little bit until a fix is available, thanks!

1 Like
12

Hello Hendrik,
I post here to not duplciate the issue.

We are having same problem, where, as of today, on Sonar 10.6, the issue still exists.

As for the SchemaFactory, there’s a problem deploying via JBoss that it inject a library that overwrite the JXP with the 1.4 instead of a >= 1.5, where doesn’t exists the property for ACCESS_EXTERNAL_DTD, but still, following the example and leaving only the “disallow-doctype-decl”, as asked, won’t work, and still continue to be alerted as wrong.

Following your info, there should be possible to use that new line (as also for the rule over github) but still not exists on SonarScanner. Have any update about this for a possible release or a fix for the previous one?

Also, I would like to advertise that, with the new “How can I fix it” that is given for the actual SonarQube 10.6, for TransformerFactory, it suggest to use:

// `setAttribute` variant, applicable to:
// - DocumentBuilderFactory
// - TransformerFactory
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

But, given this, it will give an error anwyay. Looking around, I found that on the previous version it was like this instead:

factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Where the second attribute was Stylesheet and not Schema. Maybe some error when refactored to new education system?

Thanks for you work.

Davide.