Template for a good false-positive report, formatted with Markdown:
- versions used (SonarQube, Scanner, language analyzer)
- minimal code sample to reproduce (with analysis parameter, and potential instructions to compile).
Wrap code around triple quote ``` for proper formatting
HI, iβ have this problem with sonarcloud: XML parsers should not be vulnerable to XXE attacks
My code is this:
for (int i = 0; i < 3 && path != null; i++, path = path.getParent()) {
final Path pom = path.resolve("pom.xml");
try (InputStream is = Files.newInputStream(pom)) {
final Document doc = DocumentBuilderFactory.**newInstance()**.newDocumentBuilder().parse(is);
doc.getDocumentElement().normalize();
String version = (String) XPathFactory.newInstance().newXPath().compile("/project/version")
.evaluate(doc, XPathConstants.STRING);
if (version != null) {
version = version.trim();
if (!version.isEmpty()) {
return version;
}
}
Sonar give me an error on newInstance(). How can I resolve?
felipebz
(Felipe Zorzo)
2
Hi,
Itβs explained in the rule description.
To protect Java XML Parsers from XXE attacks these properties have been defined since JAXP 1.5:
- ACCESS_EXTERNAL_DTD: should be set to ββ when processing XML/XSD/XLS files (it looks for external DOCTYPEs)
- ACCESS_EXTERNAL_SCHEMA: should be set to ββ when processing XML/XSD/XLS files (it looks for external schemalocation ect)
- ACCESS_EXTERNAL_STYLESHEET should be set to ββ when processing XLS file (it looks for external imports, includes ect);
(β¦)
Compliant Solution
DocumentBuilderFactory library:
String xml = "xxe.xml";
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant
DocumentBuilder builder = df.newDocumentBuilder();
Document document = builder.parse(new InputSource(xml));
DOMSource domSource = new DOMSource(document);
I canβt modify [DocumentBuilderFactory. where should I enter these settings???
felipebz
(Felipe Zorzo)
4
You have to change your code to set the ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA attributes, like this:
final Path pom = path.resolve("pom.xml");
try (InputStream is = Files.newInputStream(pom)) {
final DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
final Document doc = df.newDocumentBuilder().parse(is);
doc.getDocumentElement().normalize();
String version = (String) XPathFactory.newInstance().newXPath().compile("/project/version")
.evaluate(doc, XPathConstants.STRING);
if (version != null) {
version = version.trim();
if (!version.isEmpty()) {
return version;
}
}
2 Likes
system
(system)
Closed
6
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.