XMLStreamReader / InputStream xxe vulnerability showing up in Checkmarx report

Question

These lines of code are causing an xxe vulnerability to show up in a Checkmarx report:

InputStream is = connection.getInputStream();

XMLInputFactory factory = XMLInputFactory.newInstance();
XMLStreamReader reader = factory.createXMLStreamReader(is);

The issue states that:

"The application sends a request to a remote server, for some resource, using createXMLStreamReader. However, an attacker can control the target of the request, by sending a URL or other data in getInputStream."

Any ideas how to resolve this?

What is the name of the vulnerability that is found? Also, can you share the entire code that makes the attack vector as marked by Checkmarx? — yaloner, Dec 27 '18 at 12:50
it looks like its causing 2 vulnerabilities, both with the same description I gave, their names are "improper restriction of xxe ref" and another one "SSRF". They both have destination object of creatXMLStreamReader. — Artanis, Dec 27 '18 at 15:11
https://stackoverflow.com/questions/12977299/prevent-xxe-attack-with-jaxb looks like it may be answer, still need to verify — Artanis, Dec 27 '18 at 22:26

Artanis · Accepted Answer · 2018-12-28T15:50:02.433

1

Found answer that worked for me here; add these properties to the XMLInputFactory:

XMLInputFactory xif = XMLInputFactory.newFactory();

//prevents using external resources when parsing xml
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);

//prevents using external document type definition when parsing xml
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);

edited Dec 28 '18 at 15:50

answered Dec 28 '18 at 15:17

Artanis

561
1
7
26

XMLStreamReader / InputStream xxe vulnerability showing up in Checkmarx report

1 Answers1