Skip to content

Sonar violation: Disable XML external entity (XXE) processing #7468

Closed
Closed
Sonar violation: Disable XML external entity (XXE) processing#7468
Labels
approvedbug
Milestone
8.29
@romani

Description

@romani
romani
opened on Jan 13, 2020

https://sonarcloud.io/project/issues?id=org.checkstyle%3Acheckstyle&issues=AW9t2w41YD2QG1pPXIVJ&open=AW9t2w41YD2QG1pPXIVJ

Vulnerability at src/.../tools/checkstyle/XmlLoader.java
Disable XML external entity (XXE) processing.

All details of such rule - https://rules.sonarsource.com/java/RSPEC-2755

Reply from Security expert:

Hi Roman,
The next line setFeaturesBySystemProperty does disable the loading of external entities when the system property is not configured by the user.

checkstyle/src/main/java/com/puppycrawl/tools/checkstyle/XmlLoader.java

Lines 141 to 149 in ae9edbd

public static void setFeaturesBySystemProperty(SAXParserFactory factory)
throws SAXException, ParserConfigurationException {
final boolean enableExternalDtdLoad = Boolean.parseBoolean(
System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false"));
factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad);
factory.setFeature(EXTERNAL_GENERAL_ENTITIES, enableExternalDtdLoad);
}

I would validate that you are using all of the prevention methods suggested in this document here:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
The cases you need to be concerned with are any involving the use of the SAXParserFactory.
If you find any cases you are missing, then you may be vulnerable. In which case, please let me know.
Cheers,
Jonathan Leitschuh

TODO:
We need to investigate this to make sure if we are vulnerable

Metadata

Metadata

Assignees

No one assigned

    Labels

    approvedbug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions