Unexpected Veracode error "Improper Restriction of XML External Entity Reference (CWE ID 611)" (XMLInputFactory vulnerable to XXE)

164 Views Asked by Drew Stevens At 09 May 2023 at 15:48

I'm receiving a Veracode error CWE 611, flagging a block with the following code:

    public static  <T> T toObject( JAXBContext jaxbContext, String xml )
        throws JAXBException, XMLStreamException {
    XMLInputFactory xif = XMLInputFactory.newFactory();
    xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
    xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
    xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, false);
    XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader( xml ));
    var unmarshaller = jaxbContext.createUnmarshaller();
    return  (T) unmarshaller.unmarshal(xsr);
}

This seems to conform with the OWASP cheatsheet for preventing XXE attacks: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser

What flag am I failing to see and set to prevent an XXE attack?

Original Q&A

Unexpected Veracode error "Improper Restriction of XML External Entity Reference (CWE ID 611)" (XMLInputFactory vulnerable to XXE)

There are 0 best solutions below

Related Questions in JAVA

Related Questions in OWASP

Related Questions in VERACODE

Related Questions in XXE

Trending Questions

Popular # Hahtags

Popular Questions