Problems with Rule 'Security - XML parsing vulnerable to XXE (XMLReader)'

395 views
Skip to first unread message

Dominik Kaspar

unread,
Mar 27, 2018, 4:40:06 AM3/27/18
to SonarQube
Hi,

We encountered two issues with the rule "Security - XML parsing vulnerable to XXE (XMLReader)" with ID 'findsecbugs:XXE_XMLREADER'.
The description of the rule proposes two solutions:
  1. Using the "Secure processing" mode
  2. Disabling DTD

The first solution (Secure Processing) leads to a Runtime exception with our Java parser

(We are using xercesImpl-2.11.0.SP3.jar which is part of our Wildfly container 9.0.2.2)

try {
    xr.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
}
catch (SAXException sae) {
    throw new MyException("SAXException occurred while setting the secure parsing flag", sae);
}

xr.parse(f.getAbsolutePath());

And the exception is:

Caused by: org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
        at org.apache.xerces.parsers.AbstractSAXParser.setFeature(AbstractSAXParser.java:1654)
        at __redirected.__XMLReaderFactory.setFeature(__XMLReaderFactory.java:132)
        at ch.adnovum.appweb3.common.util.MyHandler.parse(MyHandler.java:95)

I suggest that the Sonar description should mention that this feature is not supported by all parsers.

Since this is a runtime exception, it normally only happens when you have automated tests or when a user really uses the part of the source code. So this might lead to serious bugs being introduced by eager developers trying to fix Sonar violations.


The second solution (disabling DTD) does not work across methods 


Disabling DTD worked when setting the feature is in the same method as the parse() call (as in the code example above).

However, when I refactor the code and set the feature in a separate method, the Sonar rule does not notice this, e.g. like this:


private XMLReader setupXmlReader() {
        XMLReader xr = XMLParserHelper.createXmlReader();
        xr.setContentHandler(this);
        xr.setEntityResolver(this);
        try {
            xr.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        }
        catch (SAXException sae) {
            throw new MyException("SAXException occurred while setting the secure parsing flag", sae);
        }
        return xr;
}


Now calling parse() is a another method will still result in a Sonar issue, although DTD is disabled!


Regards,

Dominik

Michael Gumowski

unread,
Jun 5, 2018, 5:32:31 AM6/5/18
to Dominik Kaspar, SonarQube
Hello,

Sorry for the late reply Dominik. As you mentioned it, this is obviously a rule which is not provided by one of the SonarSource plugin, as it is part of Find Security Bugs. Because I'm not sure they are monitoring this mailing list, I would suggest you to report the issue directly to the concerned maintainers: https://github.com/find-sec-bugs/find-sec-bugs/issues 

Regards,
Michael

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/d94ec2ff-0cd9-4846-a131-672e2087d555%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Michael Gumowski | SonarSource
Software Developer, Language Team
https://www.sonarsource.com
Reply all
Reply to author
Forward
0 new messages