16

I ran my java code against sonarqube and I got 'Disable XML external entity (XXE) processing' as vulnerability. I spend some time on google to resolve the issue. I have been trying alot of approach but nothing is working for me. I don't know what I'm missing

My Code:

        final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
        docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        docFactory.setFeature(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
        docFactory.setFeature(XMLInputFactory.SUPPORT_DTD, false);

        docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

        final DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
        final Document doc = docBuilder.parse(filepath);

I'm using java 1.8, Any help is appreciated. Thanks

cheetoo
  • 161
  • 1
  • 1
  • 5
  • Have you had a look at : https://stackoverflow.com/questions/40649152/how-to-prevent-xxe-attack and this rule from Sonar: https://sonarcloud.io/organizations/alexlittle-github/rules?open=squid%3AS2755&rule_key=squid%3AS2755 – iCrus Jun 26 '19 at 16:49
  • 2
    Your code looks fine to me, perhaps the checker is just being stupid. Also, what people so often forget is that the XXE vulnerability only applies if you are processing untrusted XML. If you know where the XML came from and trust the code that generated it, XXE is not an issue. Unfortunately though the security people don't always understand that subtlety. – Michael Kay Jun 26 '19 at 17:18
  • Hi iCrus. I have tried all those possibilities from sonarqube but still I didn't fixed yet – cheetoo Jun 26 '19 at 17:41

4 Answers4

16

I end up adding all of the following attributes in order to avoid Sonar complaining about this vulnerability:

        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

        //REDHAT
        //https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf
        factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

        //OWASP
        //https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        // Disable external DTDs as well
        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
        factory.setXIncludeAware(false);
        factory.setExpandEntityReferences(false);

        DocumentBuilder builder = factory.newDocumentBuilder();
chomp
  • 1,352
  • 13
  • 31
7

Java 9+ solution:

For me changing DocumentBuilderFactory.newInstance() to DocumentBuilderFactory.newDefaultInstance() was enough to red rid of this warning.

Line
  • 1,529
  • 3
  • 18
  • 42
  • 1
    Don't see the method newDefaultInstance() on javax.xml.parsers.DocumentBuilderFactory – Anand Jul 09 '20 at 13:43
  • @Anand it was introduced in Java 9. – Line Jul 10 '20 at 11:32
  • 3
    With no additionnal information, this sounds more like a way to defeat Sonar's check (e.g. it does not know about this method, so it does not mark it), and not to solve the underlying vulnerability. Basically, it looks like you went and did the just same, but behind sonar's back. (Once more, without additionnal information). – GPI Jan 13 '21 at 09:55
  • @GPI that may be true, I haven't investigate it. If anyone knows the reason behind such behaviour, please feel free to edit the answer adding it – Line Jan 14 '21 at 12:14
  • This solution works with 'XMLInputFactory'. Along with this we need to add the property xmlInputFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); – vineeth sivan Feb 14 '23 at 12:22
4

It should be enough to just set this two properties:

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
Michał S
  • 93
  • 5
1

I have fixed this issue by adding the below code snippet :

saxParserFactory = SAXParserFactory.newInstance();
saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);    
saxParserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
saxParserFactory.setXIncludeAware(false);
Mohnish
  • 1,010
  • 1
  • 12
  • 20
Theodore
  • 57
  • 1
  • 7