S2755: XML parsers should not be vulnerable to XXE attacks

jveldemann · November 10, 2021, 2:25pm

SonarQube 9.1

SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

Suggestion under “Why this is an issue”:

SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
// to be compliant, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or prohibit the use of all protocols by external entities:
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

alban.auzeill · November 22, 2021, 3:32pm

I aligned the documentation with the implementation of the rule by replacing setAttribute with setProperty for the javax.xml.validation.SchemaFactory in this PR.
Thanks, for your feedback.
Alban

system · November 29, 2021, 3:32pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.