XML parsing vulnerable to XEE
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: java-security/xml-parsing-xee
Language: Java
Severity: Notice
Category: Security
CWE: 611
Description
Systems may be vulnerable to an XML External Entity attack when they process XML from untrusted sources.
Learn More
Non-Compliant Code Examples
public class TestClass {
public void parseXML(InputStream input) throws XMLStreamException {
XMLInputFactory factory = XMLInputFactory.newFactory();
factory.setProperty("aproperty", false);
XMLStreamReader reader = factory.createXMLStreamReader(input);
factory.setProperty("anotherproperty", false);
}
}
Compliant Code Examples
public class TestClass {
public void parseXML(InputStream input) throws XMLStreamException {
XMLInputFactory factory = XMLInputFactory.newFactory();
factory.setProperty("aproperty", false);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
factory.setProperty("anotherproperty", false);
XMLStreamReader reader = factory.createXMLStreamReader(input);
}
}
public class TestClass {
public void parseXML(InputStream input) throws XMLStreamException {
XMLInputFactory factory = XMLInputFactory.newFactory();
factory.setProperty("aproperty", false);
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
factory.setProperty("anotherproperty", false);
XMLStreamReader reader = factory.createXMLStreamReader(input);
}
}
Seamless integrations. Try Datadog Code Analysis