External entities enabled in XMLInputFactory
Description
XML external entities are explicitly enabled via `javax.xml.stream.isSupportingExternalEntities`. This setting can allow XXE attacks, enabling attackers to read local files, trigger SSRF (Server-Side Request Forgery), and execute denial-of-service attacks.
Examples
Insecure Code
java
XMLInputFactory factory = XMLInputFactory.newFactory();
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);Secure Code
java
XMLInputFactory factory = XMLInputFactory.newFactory();
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);Remediation
Set the `javax.xml.stream.isSupportingExternalEntities` property to `false` to disable entity resolution.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0674 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XXE, XML |
| OWASP | A05:2021-Security Misconfiguration |