XML parsing vulnerable to XEE

Docs > Code Analysis > Static Analysis Rules > XML parsing vulnerable to XEE

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: java-security/xml-parsing-xee

Language: Java

Severity: Notice

Category: Security

CWE: 611

Description

Systems may be vulnerable to an XML External Entity attack when they process XML from untrusted sources.

Learn More

Non-Compliant Code Examples

public class TestClass {

    public void parseXML(InputStream input) throws XMLStreamException {

        XMLInputFactory factory = XMLInputFactory.newFactory();
        factory.setProperty("aproperty", false);
        XMLStreamReader reader = factory.createXMLStreamReader(input);
        factory.setProperty("anotherproperty", false);
    }
}

Compliant Code Examples

public class TestClass {

    public void parseXML(InputStream input) throws XMLStreamException {

        XMLInputFactory factory = XMLInputFactory.newFactory();
        factory.setProperty("aproperty", false);
        factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
        factory.setProperty("anotherproperty", false);
        XMLStreamReader reader = factory.createXMLStreamReader(input);
    }
}

public class TestClass {

    public void parseXML(InputStream input) throws XMLStreamException {

        XMLInputFactory factory = XMLInputFactory.newFactory();
        factory.setProperty("aproperty", false);
        factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
        factory.setProperty("anotherproperty", false);
        XMLStreamReader reader = factory.createXMLStreamReader(input);
    }
}