Versions used:
Rule:
- java:S2755 – XML parsers should not be vulnerable to XXE attacks
Minimal code sample:
import javax.xml.XMLConstants;
import javax.xml.transform.TransformerFactory;
class TestClass() {
void createTransformerFactory() throws IllegalArgumentException {
final TransformerFactory transformerFactory = TransformerFactory.newInstance();
// Saxon doesn't support the standard XMLConstants in its factory -- it throws an exception
// (saxon HE 9.9.1 is brought in by com.puppycrawl.tools:checkstyle:8.18)
if (transformerFactory instanceof net.sf.saxon.TransformerFactoryImpl)
{
transformerFactory.setFeature(net.sf.saxon.lib.FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, false);
}
else
{
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
}
return transformerFactory;
}
}
Source code for the actual factory:
- https://dev.saxonica.com/repos/archive/opensource/latest10/hej/net/sf/saxon/jaxp/SaxonTransformerFactory.java (net.sf.saxon.TransformerFactoryImpl extends this minimally)
- https://dev.saxonica.com/repos/archive/opensource/latest10/hej/net/sf/saxon/lib/FeatureKeys.java (the supported options)