JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
Java

JAVA.LIB.XML.XXE : Possible XML External Entity Reference (Java)

Summary

A method call might perform an unrestricted XML external entity reference.

This checker finds code that parses XML files without turning off the loading and parsing of external entities referenced in the XML files. This can lead to security problems, since such entities might be downloaded from insecure servers or from servers that lead to out of memory or denial of service. As OWASP puts it, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Properties

Class Name Possible XML External Entity Reference (Java)
Significance security
Mnemonic JAVA.LIB.XML.XXE
Categories
CWE CWE:611 Improper Restriction of XML External Entity Reference
  CWE:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
DISA-6r1 DISA-6r1:V-222608 The application must not be vulnerable to XML-oriented attacks.
DISA-5r3 DISA-5r3:V-70269 The application must not be vulnerable to XML-oriented attacks.
DISA-4r3 DISA-4r3:V-70269 The application must not be vulnerable to XML-oriented attacks.
OWASP-2017 OWASP-2017:A4 XML external entities
  OWASP-2017:A6 Security misconfiguration
OWASP-2021 OWASP-2021:A5 Security misconfiguration
OWASP-2025 OWASP-2025:A02 Security Misconfiguration
Availability Available for Java and Kotlin.
Enabling Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += discard class="Possible XML External Entity Reference (Java)"

Example 

public class XxeAttacks {

  public @EntryPoint void test1a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
      DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
      db.parse(is);                     // "Possible XML External Entity Reference (Java)" warning issued here 
  }

  public @EntryPoint void test2a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
      dbf.setFeature(FEATURE, true);                                                 // disallow-doctype-decl set
      DocumentBuilder db = dbf.newDocumentBuilder();
      db.parse(is);                                                                  // ok because disallow-doctype-decl is  set            
  }

  public @EntryPoint void test3a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
      dbf.setFeature(FEATURE, true);
      dbf.setFeature(FEATURE, false);                                                // disallow-doctype-decl reset to false
      DocumentBuilder db = dbf.newDocumentBuilder();
      db.parse(is);                     // "Possible XML External Entity Reference (Java)" warning issued here 
  }

  public @EntryPoint void test4a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
      dbf.setFeature(FEATURE, true);
      dbf.setFeature("completely irrelevant", false);
      DocumentBuilder db = dbf.newDocumentBuilder();
      db.parse(is);
  }

  public @EntryPoint void test5a(InputStream is) throws ParserConfigurationException, SAXException, IOException {
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
      if (System.currentTimeMillis() % 2 == 0)
          dbf.setFeature(FEATURE, true);                                             // disallow-doctype-decl is set, but not for all executions
      DocumentBuilder db = dbf.newDocumentBuilder();
      db.parse(is);                     // "Possible XML External Entity Reference (Java)" warning issued here 
  }
}

To resolve the warnings, the programmer ensure that disallow-doctype-decl is always set to true, on every execution path, before parsing the XML file.

Resolution

Turn off the automatic resolution and download of external entities referenced from XML files, before parsing such files. This can be done in different ways, depending on the kind of XML parser that is used. Check here for the correct solution for each kind of parsers.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.

 

To report problems with this documentation, please visit https://support.codesecure.com/.