7

I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow

...

  DocumentBuilderFactory dbf=null;      
  DocumentBuilder db = null;    
  try {         
        dbf=DocumentBuilderFactory.newInstance();  
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 
        dbf.setExpandEntityReferences(false); 
        dbf.setXIncludeAware(false);        
        dbf.setValidating(false); 
        dbf.newDocumentBuilder();   
        InputStream stream = new ByteArrayInputStream(datosXml.getBytes());
        Document doc = db.parse(stream, "");

...

I've been researching but I haven't found out a reason for this finding or a way of making it disappear. Could you tell me how to do it?

Hitesh
  • 241
  • 2
  • 16
Jose Miguel
  • 295
  • 2
  • 3
  • 17

2 Answers2

9

Have you seen the OWASP guide about XXE?

You are not disabling the 3 features you should disable. Most importantly the first one:

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
DelGurth
  • 819
  • 6
  • 10
  • 1
    With the new rules this does not work. Veracode report it – Xelian May 31 '17 at 06:33
  • 1
    OWASP now added a more extensive document about how to prevent XXE: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet But i've to admit I don't know veracode at all, nor do I've access to it. So I can't validate if the OWASP recommendations are complete now according to veracode. But I don't understand why it would no longer work. Perhaps you are using a different XML parser that needs to be configured a bit different? – DelGurth May 31 '17 at 07:23
  • No, I use the previous fix and Veracode stopped reporting it, but then start again a few days ago. I use the the same parser. – Xelian Jun 02 '17 at 07:33
1

Background:

The XXE attack is constructed around XML language capabilities to define arbitrary entities using the external Data Type Definition (DTD) and the ability to read or execute files.

Below is an example of XML file containing DTD declaration that when processed may return output of local “/etc/passwd” file:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE test [
    <!ELEMENT test ANY >
    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

Mitigation:

To avoid exploitation of XEE vulnerability the best approach is to disable the ability to load entities from external source.

Now the way to disable the DTDs will defer depending upon the language used (Java,C++, .NET) and the XML parser being used (DocumentBuilderFactory, SAXParserFactory, TransformerFactory to name a few considering the java language).

Below two official references provides the best information on how to achieve the same.

https://rules.sonarsource.com/java/RSPEC-2755

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md

Krutik
  • 787
  • 9
  • 15