java:S2755 XML parsers should not be vulnerable to XXE attacks - static final

Clean Code Report False-positive / False-negative...
,
1

SonarQube: 8.9.3.48735

We define the DocumentBuilderFactory as static code and are setting the needed attributes and features. Sonar still reports this as an issue, when the DOC_BUILDER_FACTORY.newDocumentBuilder() is called.

private static final DocumentBuilderFactory          DOC_BUILDER_FACTORY;
...
static {
       DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
       DOC_BUILDER_FACTORY.setExpandEntityReferences(false);
       DOC_BUILDER_FACTORY.setNamespaceAware(true);
       DOC_BUILDER_FACTORY.setIgnoringComments(true);
       DOC_BUILDER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
       DOC_BUILDER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
       try {
           DOC_BUILDER_FACTORY.setFeature(FEATURE_SECURE_PROCESSING, true);
           DOC_BUILDER_FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       } catch (ParserConfigurationException e) {
           throw new IllegalStateException(e);
       }
}
...
private String extract(RequestType request) {
...
       final Document doc;
       try {
           final DocumentBuilder builder = DOC_BUILDER_FACTORY.newDocumentBuilder();
           InputSource is = new InputSource(new StringReader(iiTypeXML));
           doc = builder.parse(is);
       } catch (Exception e) {
           throw new RuntimeException(e);
       }

       return doc.getFirstChild().getAttributes().getNamedItem("extension").getTextContent();
}

Do we miss something here? Or is the only solution to mark it as “false positive”?

4

Hello @Lesrac

I agree that this issue should not be reported, you can mark it as false positive for now.

The good news is that we just recently changed a bit the implementation of this rule, the problem in your code is no longer reported. I don’t have a ticket describing the exact problem as this was done in the context of another one (SONARJAVA-4059), but it will be part of version 7.8 of the analyzer.

Hope it clarifies the situation.
Best,
Quentin

5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.