java:S2755 XML parsers should not be vulnerable to XXE attacks - static final

Lesrac · December 15, 2021, 7:45am

SonarQube: 8.9.3.48735

We define the DocumentBuilderFactory as static code and are setting the needed attributes and features. Sonar still reports this as an issue, when the DOC_BUILDER_FACTORY.newDocumentBuilder() is called.

private static final DocumentBuilderFactory          DOC_BUILDER_FACTORY;
...
static {
       DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
       DOC_BUILDER_FACTORY.setExpandEntityReferences(false);
       DOC_BUILDER_FACTORY.setNamespaceAware(true);
       DOC_BUILDER_FACTORY.setIgnoringComments(true);
       DOC_BUILDER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
       DOC_BUILDER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
       try {
           DOC_BUILDER_FACTORY.setFeature(FEATURE_SECURE_PROCESSING, true);
           DOC_BUILDER_FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       } catch (ParserConfigurationException e) {
           throw new IllegalStateException(e);
       }
}
...
private String extract(RequestType request) {
...
       final Document doc;
       try {
           final DocumentBuilder builder = DOC_BUILDER_FACTORY.newDocumentBuilder();
           InputSource is = new InputSource(new StringReader(iiTypeXML));
           doc = builder.parse(is);
       } catch (Exception e) {
           throw new RuntimeException(e);
       }

       return doc.getFirstChild().getAttributes().getNamedItem("extension").getTextContent();
}

Do we miss something here? Or is the only solution to mark it as “false positive”?

Quentin · January 25, 2022, 4:09pm

Hello @Lesrac

I agree that this issue should not be reported, you can mark it as false positive for now.

The good news is that we just recently changed a bit the implementation of this rule, the problem in your code is no longer reported. I don’t have a ticket describing the exact problem as this was done in the context of another one (SONARJAVA-4059), but it will be part of version 7.8 of the analyzer.

Hope it clarifies the situation.
Best,
Quentin

system · February 1, 2022, 4:10pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
java:S2755 proposed compliant solution does not work Report False-positive / False-negative...	2	535	September 16, 2024
XML parsers should not be vulnerable to XXE attacks (S2755) Report False-positive / False-negative... java , sonarqube	2	1879	July 21, 2020
S2755 False positive Sonar scan engine cannot recognize our code which is secure already Report False-positive / False-negative... java	1	665	March 4, 2022
java:S2755: XML parsers should not be vulnerable to XXE attacks Report False-positive / False-negative... xml , java , gradle	1	1931	June 20, 2023
S2755: XML parsers should not be vulnerable to XXE attacks Report False-positive / False-negative... java	2	1501	November 29, 2021

java:S2755 XML parsers should not be vulnerable to XXE attacks - static final

Related topics