Text in squid:S2755 issue

java
(Matthew Harrison) #1

Hi, we just upgraded to 7.6 from 7.4, and doing an analysis picked up a new issue around XXE, which is great.
I just wanted to note that in the text explaining the issue it reads:

To disable external entity processing for SAXParserFactory , XMLReader or DocumentBuilderFactory configure one of the properties XMLConstants.FEATURE_SECURE_PROCESSING or "http://apache.org/xml/features/disallow-doctype-decl" to true.

I wonder if this should read “… configure one of the features …” instead? Very minor, but this object has both setProperty and setFeature functions, so the wording as it is gave me a moment to pause, and just check what was meant.

Thanks,

Matt

1 Like
(Alexandre Gigleux) #3

Hello @mattharr,

Welcome to the SonarQube Community!

For your first post, it’s a good catch. For SAXParserFactory, XMLReader or DocumentBuilderFactory, we should say: configure the feature using setFeature.

I changed the description of the rule accordingly. You will see the change in a couple of weeks when we will release SonarJava 5.12.

Regards

(Matthew Harrison) #5

Hi, thanks very much. I’ve actually posted stuff before (probably a few years ago now), and it was either on an old forum, or I forgot my login details :slight_smile: But yes, sounds good, that should make it clearer.

Cheers,

Matt

(Balázs Hosszu) #6

Hey guys!

To piggyback on this topic, the rule description contains a typo. It says:
“during parsing and igore any DTD’s included …”

It should read ignore instread of igore. Relevant source file linked:

@Alexandre_Gigleux should I open a new ticket or is this fine?

Thanks and cheers,
Balázs

(Tibor Blenessy) #7

hello @hosszubalazs,

I fixed the typo, thanks. It will become visible with the next release of java analyzer.

1 Like