-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sonar violation: Disable XML external entity (XXE) processing #7468
Comments
from links of Sonar description (same link provide us Jonathan), https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller here is clear example that we do correct disablement BUT there 3 features and we use only 2. |
Fix is merged. @romani can this issue be a breaking change? |
It should not, but it might, let's keep it misc |
Does this need a CVE assigned to it? |
I do not know how to reproduce it, so I am not sure that CVE need to be created. |
Hey @romani, I've got confirmation from someone that there is indeed a vuln here. Please add myself and these two security researchers from Snyk.
|
Done. |
com.puppycrawl.tools:checkstyle Upgrade com.puppycrawl.tools:checkstyle to version 8.29 or later. https://cwe.mitre.org/data/definitions/611.html checkstyle/checkstyle#7468
https://sonarcloud.io/project/issues?id=org.checkstyle%3Acheckstyle&issues=AW9t2w41YD2QG1pPXIVJ&open=AW9t2w41YD2QG1pPXIVJ
Vulnerability at src/.../tools/checkstyle/XmlLoader.java
Disable XML external entity (XXE) processing.
All details of such rule - https://rules.sonarsource.com/java/RSPEC-2755
Reply from Security expert:
TODO:
We need to investigate this to make sure if we are vulnerable
The text was updated successfully, but these errors were encountered: