java:S2755 XML parsers should not be vulnerable to XXE attacks

akasten · April 16, 2020, 11:14am

Our SonarQube configuration is

SonarQube Community Edition 8.2 (build 32929)
SonarJava Code Analyzer for Java 6.1 (build 20866)

We’re using XMLInputFactory to parse XML files from a string:

import javax.xml.stream.XMLInputFactory;
...

XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
XMLEventReader reader = factory.createXMLEventReader(new StringReader(myXmlString));

Rule java:S2755 is triggered and marks these lines as incorrect. The rule’s description suggests to Disable XML external entity (XXE) processing which we already did. More specifically, we’re using the suggested solution from the rule’s description:

XMLInputFactory library:

XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");  // compliant

XMLEventReader eventReader = factory.createXMLEventReader(new FileReader("xxe.xml"));

The only difference between the suggested solution and our solution is the source of the XML content. However, this should not affect the security of the code.

eric.therond · April 16, 2020, 11:42am

Hello @akasten and welcome to the community!

XXE rule for Java has been improved recently in the SonarJava 6.2 release (see this announcement):

If you are upgrading to take advantage of these new features, let us know if that resolves your problem, if you cannot upgrade, I suggest closing this issue as “False Positive”.

Eric

akasten · April 16, 2020, 11:54am

Hi Eric,

thanks for your quick reponse. We’ll try to update the Java analyzer and have a look at the new rule. I’ll keep you informed of our findings.

Andreas

akasten · April 16, 2020, 3:13pm

Hello again,

we’ve installed and successfully tested the new Java analyzer and the false positive did not occur anymore. That solves our issue.

How can I close this topic?

Thanks again,
Andreas

eric.therond · April 16, 2020, 3:28pm

Good news!

“To close a topic” just click on the “show more” (…) button at the bottom of a post then “solution”.
I have done it for you.

Eric

Topic		Replies	Views
java:S2755: XML parsers should not be vulnerable to XXE attacks Report False-positive / False-negative... xml , java , gradle	1	1935	June 20, 2023
XML parsers should not be vulnerable to XXE attacks SonarQube Cloud sonarqube-cloud	5	2421	January 7, 2021
XML parsers should not be vulnerable to XXE attacks (java:S2755) Report False-positive / False-negative... java	3	3314	February 9, 2021
XML parsers should not be vulnerable to XXE attacks (S2755) Report False-positive / False-negative... java , sonarqube	2	1883	July 21, 2020
Disable XML external entity (XXE) processing Issue SonarQube Server / Community Build java , sonarqube , security	1	2994	April 16, 2020

java:S2755 XML parsers should not be vulnerable to XXE attacks

Related topics