Security - XML Parsing, prevent XXE attack

537 views
Skip to first unread message

gilbert...@googlemail.com

unread,
May 23, 2016, 7:45:06 AM5/23/16
to SonarQube
Using Sonarqube 5.4

Despite having the rules :

Security - XML Parsing Vulnerable to XXE (DocumentBuilder)
Security - XML Parsing Vulnerable to XXE (SAXParser)
Security - XML Parsing Vulnerable to XXE (XMLReader)


activated, preventing a XXE attack by unmarshalling from an XMLStreamReader that has the
IS_SUPPORTING_EXTERNAL_ENTITIES and/or XMLInputFactory.SUPPORT_DTD properties
set to false is not included, f.e.

public String parseXML(InputStream input, XMLStreamReader r) {
 StringBuilder content = new StringBuilder();
 XMLInputFactory factory = XMLInputFactory.newFactory();
 factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
 factory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
 XMLStreamReader reader = r;


should raise two issues, because the properties from XMLInputFactory are both set true, but there are
no issues created, see a good explanation on Stackoverflow

Regards,
Gilbert

Nicolas Peru

unread,
Jul 20, 2016, 10:38:10 AM7/20/16
to gilbert...@googlemail.com, SonarQube
Hi Gilbert, 

Sorry for the delay of answer but could you precise which rules exactly you activated ? (looking up for the rule key here) because it does not seem to be rules provided by the sonar java plugin but by another rule engine. 

Cheers, 

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/f7820378-fa56-4e11-b63b-2486f0d39a0c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Nicolas PERU | SonarSource
Senior Developer
http://sonarsource.com

philipp...@gmail.com

unread,
Jul 20, 2016, 10:49:58 AM7/20/16
to SonarQube
Those are rules from the FindBugs plugin.
Currently, the vulnerability is identified when the parsing is triggered which is the moment where the XML entities could be evaluated. The search for a proper configuration is made in the same method.

Nonetheless, I think your suggestion is excellent. If a method explicitly enables the properties of an XML parser, it should be flagged.
You can follow the evolution and discussion here : https://github.com/find-sec-bugs/find-sec-bugs/issues/209

gilbert...@googlemail.com

unread,
Jul 22, 2016, 2:51:39 AM7/22/16
to SonarQube, philipp...@gmail.com
Hi,

a few weeks ago..

//Gilbert

Reply all
Reply to author
Forward
0 new messages