Update: XML External Entity (XXE) Prevention Cheat Sheet #488
Labels
ACK_WAITING
Issue waiting acknowledgement from core team before to start the work to fix it.
HELP_WANTED
Issue for which help is wanted to do the job.
UPDATE_CS
Issue about the update/refactoring of a existing cheat sheet.
The JAXB > Java 8 and Up sub-section on the XXE Cheat Sheet can be misleading. The advice in this section succinctly states
This statement is too broad. It does not account for all the nuances that can lead the
javax.xml.bind.Unmarshaller
to be vulnerable or used in a way that is vulnerable on OpenJDK 1.8 based runtimes. An application parsing untrusted XML on an OpenJDK 1.8 runtime may be vulnerable to XXE ifUnmarshaller
uses has been inadvertently replaced with a different implementation that is not safe-by-default (e.g. xercesImpl:2.8.0)unmarshal
overloads that does not delegate XML parsing to the safe-by-default SAX parserElaborating on that last point, even if the
Unmarshaller
is considered safe by default, not all of itsunmarshal
methods use the safe by defaultXMLReader
. Callingunmarshal
with any of the following argument types still requires the user to explicitly configure the XML parsing to be safeThe following is a detailed analysis that explains why users should not rely on the safe by default nature of the
Unmarshaller
in OpenJDK 1.8 https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxbRecommend removing this sub-section from the Cheat Sheet
The text was updated successfully, but these errors were encountered: