XML parsers should not be vulnerable to XXE attacks

Report a bug False-positive
#1

Template for a good false-positive report, formatted with Markdown:

  • versions used (SonarQube, Scanner, language analyzer)
  • minimal code sample to reproduce (with analysis parameter, and potential instructions to compile).

Wrap code around triple quote ``` for proper formatting

HI, i’ have this problem with sonarcloud: XML parsers should not be vulnerable to XXE attacks

My code is this:

for (int i = 0; i < 3 && path != null; i++, path = path.getParent()) {

                final Path pom = path.resolve("pom.xml");

                try (InputStream is = Files.newInputStream(pom)) {

                    final Document doc = DocumentBuilderFactory.**newInstance()**.newDocumentBuilder().parse(is);

                    doc.getDocumentElement().normalize();

                    String version = (String) XPathFactory.newInstance().newXPath().compile("/project/version")

                            .evaluate(doc, XPathConstants.STRING);

                    if (version != null) {

                        version = version.trim();

                        if (!version.isEmpty()) {

                            return version;

                        }

                    }

Sonar give me an error on newInstance(). How can I resolve?

#2

Hi,

It’s explained in the rule description.

To protect Java XML Parsers from XXE attacks these properties have been defined since JAXP 1.5:

  • ACCESS_EXTERNAL_DTD: should be set to β€œβ€ when processing XML/XSD/XLS files (it looks for external DOCTYPEs)
  • ACCESS_EXTERNAL_SCHEMA: should be set to β€œβ€ when processing XML/XSD/XLS files (it looks for external schemalocation ect)
  • ACCESS_EXTERNAL_STYLESHEET should be set to β€œβ€ when processing XLS file (it looks for external imports, includes ect);

(…)

Compliant Solution
DocumentBuilderFactory library:

String xml = "xxe.xml";
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant
DocumentBuilder builder = df.newDocumentBuilder();
Document document = builder.parse(new InputSource(xml));
DOMSource domSource = new DOMSource(document);
#3

I can’t modify [DocumentBuilderFactory. where should I enter these settings???

#4

You have to change your code to set the ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA attributes, like this:

    final Path pom = path.resolve("pom.xml");
    try (InputStream is = Files.newInputStream(pom)) {
        final DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
        df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
        
        final Document doc = df.newDocumentBuilder().parse(is);
        doc.getDocumentElement().normalize();
        String version = (String) XPathFactory.newInstance().newXPath().compile("/project/version")
                .evaluate(doc, XPathConstants.STRING);
        if (version != null) {
            version = version.trim();
            if (!version.isEmpty()) {
                return version;
            }
        }
2 Likes
#5

thank youuuuuuuu <3

#6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.