/
xmlinputfactory-dtd-enabled.yaml
38 lines (38 loc) · 1.44 KB
/
xmlinputfactory-dtd-enabled.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
rules:
- id: xmlinputfactory-dtd-enabled
patterns:
- pattern-not-inside: | # nosemgrep: slow-pattern-top-ellipsis
...
$XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false)
- pattern-either:
- pattern: $XMLFACTORY = XMLInputFactory.newFactory(...)
- pattern: $XMLFACTORY = XMLInputFactory.newInstance(...)
- pattern: $XMLFACTORY = new XMLInputFactory(...)
message: >-
XMLInputFactory being instantiated without calling the setProperty functions that are generally used
for disabling entity processing.
User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities
like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port
scanning.
Make sure to disable entity processing functionality.
languages: [scala]
severity: WARNING
metadata:
cwe:
- 'CWE-611: Improper Restriction of XML External Entity Reference'
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
category: security
technology:
- scala
confidence: HIGH
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM