Missing secure configuration in DocumentBuilderFactory

Description

DocumentBuilderFactory is used without disabling DOCTYPE declarations or external entity features, which can expose the application to XML External Entity (XXE) attacks, leading to reading internal server files, Denial of Service, or Server-Side Request Forgery (SSRF).

Examples

Insecure Code

java

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

Secure Code

java

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// OR
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);

Remediation

Set one of the following combinations: disallow-doctype-decl = true OR external-general-entities = false AND external-parameter-entities = false

Rule Details

Field	Value
ID	CODE-0002
Category	Injection
Severity	MEDIUM
CWE	CWE-611
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	XXE, XML External Entity
OWASP	A05:2021-Security Misconfiguration

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Missing secure configuration in DocumentBuilderFactory

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Missing secure configuration in DocumentBuilderFactory ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Missing secure configuration in DocumentBuilderFactory

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details