SV.XXE.TF
Possibility of an XML External Entity attack
This error occurs when XML input is processed by a weakly-configured XML parser, TransformerFactory.
Vulnerability and risk
An XML external entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly-configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, or other system impacts.
Mitigation and prevention
The safest way to prevent an XML external entity attack is to always completely disable DTDs (external entities). Depending on the parser, the method can be different. For example, the DocumentBuilderFactory XML parser can be configured by using following technique to protect it against an XML external entity attack:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
...
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
...
Vulnerable code example
import javax.xml.transform.TransformerFactory;
public class Test {
public void test1() {
TransformerFactory tf = TransformerFactory.newInstance();
tf.newTransformer();
}
}
In this example, Klocwork reports an SV.XXE.TF error at line 5, indicating that XML input is processed by a weakly configured XML parser 'TransformerFactory'.
Fixed code example
import javax.xml.transform.TransformerFactory;
public class Test {
public void test1() {
TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
tf.newTransformer();
}
}
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.