DOCTYPE declaration explicitly enabled in XML parser
Description
The feature `disallow-doctype-decl` is explicitly set to `false`, allowing DOCTYPE declarations. This creates a high-risk XML External Entity (XXE) vulnerability unless mitigated with appropriate security controls such as disabling external entity resolution.
Examples
Insecure Code
java
$DBFACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);Secure Code
java
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);Remediation
Set `disallow-doctype-decl` to `true`, or ensure both `external-general-entities` and `external-parameter-entities` are set to `false`, or use ACCESS_EXTERNAL_* attributes to limit resolution scope
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0762 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XXE, XML External Entity |
| OWASP | A05:2021-Security Misconfiguration |