Merge pull request #3362 from semgrep/inkz/xmlinputfactory-fix-2

Fix Java xmlinputfactory rules (again)
semgrep · Apr 25, 2024 · fc2cb1f · fc2cb1f
2 parents 27f35ab + f3da09a
commit fc2cb1f
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/java/lang/security/xmlinputfactory-external-entities-enabled.yaml b/java/lang/security/xmlinputfactory-external-entities-enabled.yaml
@@ -35,5 +35,7 @@ rules:
   - pattern-either:
       - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", true);
       - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, true);
+      - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.TRUE);
+      - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, Boolean.TRUE);
   languages:
   - java
diff --git a/java/lang/security/xmlinputfactory-possible-xxe.java b/java/lang/security/xmlinputfactory-possible-xxe.java
@@ -29,6 +29,18 @@ public GoodConstXMLInputFactory() {
     }
 }
 
+class GoodConstXMLInputFactory1 {
+    public GoodConstXMLInputFactory1() {
+        final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
+
+        // See
+        // https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser
+        xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+        // ok
+        xmlInputFactory.setProperty(IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+    }
+}
+
 class BadXMLInputFactory1 {
     public BadXMLInputFactory1() {
         // ruleid:xmlinputfactory-possible-xxe

diff --git a/java/lang/security/xmlinputfactory-possible-xxe.yaml b/java/lang/security/xmlinputfactory-possible-xxe.yaml
@@ -45,6 +45,18 @@ rules:
         $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
         ...
       }
+  - pattern-not-inside: |
+      $METHOD(...) {
+        ...
+        $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.FALSE);
+        ...
+      }
+  - pattern-not-inside: |
+      $METHOD(...) {
+        ...
+        $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        ...
+      }
   - pattern-either:
     - pattern: javax.xml.stream.XMLInputFactory.newFactory(...)
     - pattern: new XMLInputFactory(...)