Checker Xxe   as of Julia version 2.5.0 (built on 4 Jul 2018)

belongs to group Basic

Identify potential external XML entity reference attacks


This checker finds code that parses XML files without turning off the loading and parsing of external entities referenced in the XML files. This can lead to security problems, since such entities might be downloaded from insecure servers or from servers that lead to out of memory or denial of service. As OWASP puts it, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Action: Turn off the automatic resolution and download of external entities referenced from XML files, before parsing such files. This can be done in different ways, depending on the kind of XML parser that is used. Check here for the correct solution for each kind of parsers.

Examples


Consider the following program:

public class XxeAttacks {

  public @EntryPoint void test1a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
    DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
    db.parse(is);
  }

  public @EntryPoint void test2a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    dbf.setFeature(FEATURE, true);
    DocumentBuilder db = dbf.newDocumentBuilder();
    db.parse(is);
  }

  public @EntryPoint void test3a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    dbf.setFeature(FEATURE, true);
    dbf.setFeature(FEATURE, false);
    DocumentBuilder db = dbf.newDocumentBuilder();
    db.parse(is);
  }

  public @EntryPoint void test4a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    dbf.setFeature(FEATURE, true);
    dbf.setFeature("completely irrelevant", false);
    DocumentBuilder db = dbf.newDocumentBuilder();
    db.parse(is);
  }

  public @EntryPoint void test5a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    if (System.currentTimeMillis() % 2 == 0)
      dbf.setFeature(FEATURE, true);
    DocumentBuilder db = dbf.newDocumentBuilder();
    db.parse(is);
  }
}

This checker issues the following warnings:

XxeAttacks.java:5: [Xxe: XXEAttackWarning] This call to method "parse" seems to perform unrestricted XML external entity reference. This might lead to information exposure or denial of service attacks
XxeAttacks.java:22: [Xxe: XXEAttackWarning] This call to method "parse" seems to perform unrestricted XML external entity reference. This might lead to information exposure or denial of service attacks
XxeAttacks.java:40: [Xxe: XXEAttackWarning] This call to method "parse" seems to perform unrestricted XML external entity reference. This might lead to information exposure or denial of service attacks

since the XML parsing performed at lines 5, 22 and 40 is performed without turning off the automatic parsing of XML entities referenced in the XML file. Note that the XML parsing performed at line 12 occurs with a document builder factory whose http://apache.org/xml/features/disallow-doctype-decl feature is set to true. Hence, no external entity is parsed there. Instead, at line 20 the feature is reset to false, hence a warning is issued at line 22. The feature set at line 29 is irrelevant, hence no warning is issued at line 31. In the final example, the feature is set at line 38, but not for all executions, hence a warning is issued at line 40.

In this example, the programmer should always set to true the http://apache.org/xml/features/disallow-doctype-decl feature, for every execution path, before parsing the XML file.