TransformerFactory missing secure configuration

Description

TransformerFactory is used without disabling access to external DTDs or stylesheets. This can lead to XML External Entity (XXE) vulnerabilities. These XXE vectors can: Access internal files, Trigger SSRF (Server Side Request Forgery), Perform denial-of-service attacks

Examples

Insecure Code

java

TransformerFactory factory = TransformerFactory.newInstance();

Secure Code

java

TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Remediation

Set the following properties: factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Rule Details

Field	Value
ID	CODE-0754
Category	Injection
Severity	MEDIUM
CWE	CWE-611
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	XXE, XML External Entity
OWASP	A05:2021-Security Misconfiguration

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

TransformerFactory missing secure configuration

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

TransformerFactory missing secure configuration ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

TransformerFactory missing secure configuration

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details