1

How to fix sonar issues in below code

import org.springframework.core.io.ClassPathResource;
import org.xml.sax.InputSource;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;
import java.io.StringWriter;

public class XmlUtility {

  public static String removeNamespaceAndReturnChildElement(String xmlString, String xmlTagName) {
    var transformerFactory = TransformerFactory.newInstance();
    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

    StreamSource namespaceRemoverXslt = new StreamSource(new ClassPathResource("/namespaceRemover.xslt").getFile());

    var transformer = transformerFactory.newTransformer(namespaceRemoverXslt); //NON-Compliant - Security - A malicious XSLT could be provided
    StringWriter xmlTagNameBufferWithoutNamespace = new StringWriter();
    transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
    transformer.transform(new StreamSource(xmlString), new StreamResult(xmlTagNameBufferWithoutNamespace));

    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    documentBuilderFactory.setXIncludeAware(false);
    documentBuilderFactory.setExpandEntityReferences(false);
    documentBuilderFactory.setValidating(true); //NON-Compliant - XML parsers should not load external schemas
    var documentBuilder = documentBuilderFactory.newDocumentBuilder();
    var inputSource = new InputSource(new StringReader(xmlTagNameBufferWithoutNamespace.toString()));
    org.w3c.dom.Document xmlDocument = documentBuilder.parse(inputSource);

    var deliveryNode = xmlDocument.getElementsByTagName(xmlTagName).item(0);
    StringWriter bufferFirstXmlElement = new StringWriter();
    transformer.transform(new DOMSource(deliveryNode), new StreamResult(bufferFirstXmlElement));
    return bufferFirstXmlElement.toString();
  }
}

In the line var transformer = transformerFactory.newTransformer(namespaceRemoverXslt); Sonar complains with the error "Security - A malicious XSLT could be provided" even though I enabled secure feature processing in transformer factory. I hear that if my application has some other dependencies like hibernate-core then sonar might show such errors.

I am loading the xslt from my classpath so I trust the xslt.

Not sure about the 2nd error so ignore the 2nd one. In the line documentBuilderFactory.setValidating(true) sonar complains with the error "XML parsers should not load external schemas". If I remove it then Semgrep gives the error "code fails to enable validation before parsing XML i.e. documentBuilder.parse(inputSource), which gives an attacker the opportunity to supply malicious input".

firstpostcommenter
  • 2,328
  • 4
  • 30
  • 59
  • 1
    What is your objective? Is it to make the processing secure, or to get rid of the security warnings? These aren't the same thing, security warnings are often based on very crude analysis and there will be both false positives and false negatives,. – Michael Kay Mar 25 '23 at 15:28
  • Make processing secure so that the security warning is not there anymore. Is this case a false positive? – firstpostcommenter Mar 25 '23 at 16:38

0 Answers0