documentbuilderfactory-disallow-doctype-decl-false-java

Sakshis · Sakshis · commit 606ee9b37751 · 2024-12-04T11:13:26.000Z
diff --git a/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml b/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml
@@ -0,0 +1,46 @@
+id: documentbuilderfactory-disallow-doctype-decl-false-java
+language: java
+severity: warning
+message: >-
+    DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting
+      external entity declarations, this is vulnerable to XML external entity
+      attacks. Disable this by setting the feature
+      "http://apache.org/xml/features/disallow-doctype-decl" to true.
+      Alternatively, allow DOCTYPE declarations and only prohibit external
+      entities declarations. This can be done by setting the features
+      "http://xml.org/sax/features/external-general-entities" and
+      "http://xml.org/sax/features/external-parameter-entities" to false.
+note: >-
+  [CWE-611]: mproper Restriction of XML External Entity Reference
+  [OWASP A04:2017]: XML External Entities (XXE)
+  [OWASP A05:2021 - Security Misconfiguration]
+  [REFERENCES]
+       https://blog.sonarsource.com/secure-xml-processor
+       https://xerces.apache.org/xerces2-j/features.html
+utils:
+  match_expression_statement:
+    kind: expression_statement
+    has:
+      stopBy: end
+      kind: method_invocation
+      all:
+        - has:
+           stopBy: end
+           kind: identifier
+        - has:
+           stopBy: end
+           kind: identifier
+           regex: '^setFeature$'
+      has:
+        kind: argument_list
+        all:
+          - has:
+             stopBy: end
+             kind: string_literal
+             regex: 'http://apache.org/xml/features/disallow-doctype-decl'
+          - has:
+             stopBy: end
+             regex: '^false$'
+rule:
+  any:
+    - matches: match_expression_statement
diff --git a/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml
@@ -0,0 +1,70 @@
+id: documentbuilderfactory-disallow-doctype-decl-false-java
+snapshots:
+  ? |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    }
+  : labels:
+    - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+      style: primary
+      start: 106
+      end: 184
+    - source: dbf
+      style: secondary
+      start: 106
+      end: 109
+    - source: setFeature
+      style: secondary
+      start: 110
+      end: 120
+    - source: '"http://apache.org/xml/features/disallow-doctype-decl"'
+      style: secondary
+      start: 121
+      end: 175
+    - source: 'false'
+      style: secondary
+      start: 177
+      end: 182
+    - source: ("http://apache.org/xml/features/disallow-doctype-decl", false)
+      style: secondary
+      start: 120
+      end: 183
+    - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false)
+      style: secondary
+      start: 106
+      end: 183
+  ? |
+    ParserConfigurationException {
+        SAXParserFactory spf = SAXParserFactory.newInstance();
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    }
+  : labels:
+    - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+      style: primary
+      start: 94
+      end: 172
+    - source: spf
+      style: secondary
+      start: 94
+      end: 97
+    - source: setFeature
+      style: secondary
+      start: 98
+      end: 108
+    - source: '"http://apache.org/xml/features/disallow-doctype-decl"'
+      style: secondary
+      start: 109
+      end: 163
+    - source: 'false'
+      style: secondary
+      start: 165
+      end: 170
+    - source: ("http://apache.org/xml/features/disallow-doctype-decl", false)
+      style: secondary
+      start: 108
+      end: 171
+    - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false)
+      style: secondary
+      start: 94
+      end: 171
diff --git a/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml b/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml
@@ -0,0 +1,51 @@
+id: documentbuilderfactory-disallow-doctype-decl-false-java
+valid:
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    }
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    }
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    } 
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+    } 
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+    } 
+  - |
+    ParserConfigurationException {
+        SAXParserFactory spf = SAXParserFactory.newInstance();
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    }
+invalid:
+  - |
+    ParserConfigurationException {
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    }
+  - |
+    ParserConfigurationException {
+        SAXParserFactory spf = SAXParserFactory.newInstance();
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    }
