XSLT Translation with Potentially Malicious Input
Description
The application performs XSLT translation with potentially malicious input, allowing an adversary to influence the loaded XSL document and exploit External XML Entity (XXE) attacks or call XSL functions.
Examples
Insecure Code
java
TransformerFactory transformerFactory = TransformerFactory.newInstance();
Source xslSource = new StreamSource(new FileInputStream(userInput));
Transformer transformer = transformerFactory.newTransformer(xslSource);Secure Code
java
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Source xslSource = new StreamSource(new FileInputStream("hardcoded.xsl"));
Transformer transformer = transformerFactory.newTransformer(xslSource);Remediation
Enable the FEATURE_SECURE_PROCESSING feature prior to processing the XSLT file by calling transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0732 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-91 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML Injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |