From 6ece39728afa4432dd6702cfef0eb961ab3c49e7 Mon Sep 17 00:00:00 2001 From: leonardo-pilastri-sonarsource <115481625+leonardo-pilastri-sonarsource@users.noreply.github.com> Date: Wed, 19 Jun 2024 18:55:26 +0200 Subject: [PATCH] [NO JIRA] Remove forgotten SE rules metadata from sonar-java-plugin (#4823) --- .../org/sonar/l10n/java/rules/java/S2755.html | 156 ------------------ .../org/sonar/l10n/java/rules/java/S2755.json | 48 ------ .../org/sonar/l10n/java/rules/java/S3518.html | 58 ------- .../org/sonar/l10n/java/rules/java/S3518.json | 38 ----- .../org/sonar/l10n/java/rules/java/S6373.html | 104 ------------ .../org/sonar/l10n/java/rules/java/S6373.json | 47 ------ .../org/sonar/l10n/java/rules/java/S6376.html | 96 ----------- .../org/sonar/l10n/java/rules/java/S6376.json | 39 ----- .../org/sonar/l10n/java/rules/java/S6377.html | 65 -------- .../org/sonar/l10n/java/rules/java/S6377.json | 37 ----- 10 files changed, 688 deletions(-) delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2755.html delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2755.json delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3518.html delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3518.json delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6373.html delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6373.json delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6376.html delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6376.json delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6377.html delete mode 100644 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6377.json diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2755.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2755.html deleted file mode 100644 index c3d23046475..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2755.html +++ /dev/null @@ -1,156 +0,0 @@ -

This vulnerability allows the usage of external entities in XML.

-

Why is this an issue?

-

External Entity Processing allows for XML parsing with the involvement of external entities. However, when this functionality is enabled without -proper precautions, it can lead to a vulnerability known as XML External Entity (XXE) attack.

-

What is the potential impact?

-

Exposing sensitive data

-

One significant danger of XXE vulnerabilities is the potential for sensitive data exposure. By crafting malicious XML payloads, attackers can -reference external entities that contain sensitive information, such as system files, database credentials, or configuration files. When these -entities are processed during XML parsing, the attacker can extract the contents and gain unauthorized access to sensitive data. This poses a severe -threat to the confidentiality of critical information.

-

Exhausting system resources

-

Another consequence of XXE vulnerabilities is the potential for denial-of-service attacks. By exploiting the ability to include external entities, -attackers can construct XML payloads that cause resource exhaustion. This can overwhelm the system’s memory, CPU, or other critical resources, leading -to system unresponsiveness or crashes. A successful DoS attack can disrupt the availability of services and negatively impact the user experience.

-

Forging requests

-

XXE vulnerabilities can also enable Server-Side Request Forgery (SSRF) attacks. By leveraging the ability to include external entities, an attacker -can make the vulnerable application send arbitrary requests to other internal or external systems. This can result in unintended actions, such as -retrieving data from internal resources, scanning internal networks, or attacking other systems. SSRF attacks can lead to severe consequences, -including unauthorized data access, system compromise, or even further exploitation within the network infrastructure.

-

How to fix it in Java SE

-

Code examples

-

The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE -attacks if an attacker can control the XML file that is processed.

-

Noncompliant code example

-
-DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant
-
-

Compliant solution

-

Protection from XXE can be done in several different ways. Choose one depending on how the affected parser object is used in your code.

-

1. The first way is to completely disable DOCTYPE declarations:

-
-// Applicable to:
-// - DocumentBuilderFactory
-// - SAXParserFactory
-// - SchemaFactory
-factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-
-// For XMLInputFactory:
-factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
-
-

2. Disable external entity declarations completely:

-
-// Applicable to:
-// - DocumentBuilderFactory
-// - SAXParserFactory
-factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-
-// For XMLInputFactory:
-factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
-
-

3. Prohibit the use of all protocols by external entities:

-
-// `setAttribute` variant, applicable to:
-// - DocumentBuilderFactory
-// - TransformerFactory
-factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-
-// `setProperty` variant, applicable to:
-// - XMLInputFactory
-// - SchemaFactory
-factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-
-// For SAXParserFactory, the prohibition is done on child objects:
-SAXParser parser = factory.newSAXParser();
-parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-
-

How does this work?

-

Disable external entities

-

The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for -specific use cases. By default, XML parsers should be configured to reject the processing of external entities. This can be achieved by setting the -appropriate properties or options in your XML parser library or framework.

-

If external entity processing is necessary for certain scenarios, adopt a whitelisting approach to restrict the entities that can be resolved -during XML parsing. Create a list of trusted external entities and disallow all others. This approach ensures that only known and safe entities are -processed.
You should rely on features provided by your XML parser to restrict the external entities.

-

Going the extra mile

-

Disable entity expansion

-

Specifically for DocumentBuilderFactory, it is possible to disable the entity expansion. Note, however, that this does not prevent the -retrieval of external entities.

-
-factory.setExpandEntityReferences(false);
-
-

How to fix it in Dom4j

-

Code examples

-

The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE -attacks if an attacker can control the XML file that is processed.

-

Noncompliant code example

-
-import org.dom4j.io.SAXReader;
-
-public void decode() {
-    SAXReader xmlReader = new SAXReader(); // Noncompliant
-}
-
-

Compliant solution

-
-import org.dom4j.io.SAXReader;
-
-public void decode() {
-    SAXReader xmlReader = new SAXReader();
-    xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-}
-
-

How does this work?

-

Disable external entities

-

The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for -specific use cases. By default, XML parsers should be configured to reject the processing of external entities. This can be achieved by setting the -appropriate properties or options in your XML parser library or framework.

-

If external entity processing is necessary for certain scenarios, adopt a whitelisting approach to restrict the entities that can be resolved -during XML parsing. Create a list of trusted external entities and disallow all others. This approach ensures that only known and safe entities are -processed.
You should rely on features provided by your XML parser to restrict the external entities.

-

How to fix it in Jdom2

-

Code examples

-

The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE -attacks if an attacker can control the XML file that is processed.

-

Noncompliant code example

-
-import org.jdom2.input.SAXBuilder;
-
-public void decode() {
-    SAXBuilder builder = new SAXBuilder(); // Noncompliant
-}
-
-

Compliant solution

-
-import org.jdom2.input.SAXBuilder;
-
-public void decode() {
-    SAXBuilder builder = new SAXBuilder();
-    builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-    builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-}
-
-

How does this work?

-

Disable external entities

-

The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for -specific use cases. By default, XML parsers should be configured to reject the processing of external entities. This can be achieved by setting the -appropriate properties or options in your XML parser library or framework.

-

If external entity processing is necessary for certain scenarios, adopt a whitelisting approach to restrict the entities that can be resolved -during XML parsing. Create a list of trusted external entities and disallow all others. This approach ensures that only known and safe entities are -processed.
You should rely on features provided by your XML parser to restrict the external entities.

-

Resources

-

Standards

- - diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2755.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2755.json deleted file mode 100644 index 30d28d2f879..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2755.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "title": "XML parsers should not be vulnerable to XXE attacks", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "COMPLETE" - }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "15min" - }, - "tags": [ - "cwe", - "symbolic-execution" - ], - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-2755", - "sqKey": "S2755", - "scope": "Main", - "securityStandards": { - "CWE": [ - 611, - 827 - ], - "OWASP": [ - "A4" - ], - "OWASP Top 10 2021": [ - "A5" - ], - "PCI DSS 3.2": [ - "6.5.1" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.5.2" - ], - "STIG ASD 2023-06-08": [ - "V-222608" - ] - }, - "quickfix": "infeasible" -} diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3518.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3518.html deleted file mode 100644 index 4606b5c6e94..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3518.html +++ /dev/null @@ -1,58 +0,0 @@ -

If the denominator to an integer division or remainder operation is zero, a ArithmeticException is thrown.

-

This error will crash your program in most cases. To fix it, you need to ensure that the denominator value in all division operations is always -non-zero, or check the value against zero before performing the division.

-

Why is this an issue?

-

A division (/) or remainder operation (%) by zero indicates a bug or logical error. This is because in Java, a division -or remainder operation where the denominator is zero and not a floating point value always results in an ArithmeticException being -thrown.

-

When working with double or float values, no exception will be thrown, but the operation will result in special floating -point values representing either positive infinity, negative infinity, or NaN. Unless these special values are explicitly handled by a -program, zero denominators should be avoided in floating point operations, too. Otherwise, the application might produce unexpected results.

-

What is the potential impact?

-

Issues of this type interrupt the normal execution of a program, causing it to crash or putting it into an inconsistent state. Therefore, this -issue might impact the availability and reliability of your application, or even result in data loss.

-

If the computation of the denominator is tied to user input data, this issue can potentially even be exploited by attackers to disrupt your -application.

-

Noncompliant code example

-
-void test_divide() {
-  int z = 0;
-  if (unknown()) {
-    // ..
-    z = 3;
-  } else {
-    // ..
-  }
-  z = 1 / z; // Noncompliant, possible division by zero
-}
-
-

Compliant solution

-
-void test_divide() {
-  int z = 0;
-  if (unknown()) {
-    // ..
-    z = 3;
-  } else {
-    // ..
-    z = 1;
-  }
-  z = 1 / z;
-}
-
-

Resources

-

Documentation

- -

Standards

- - diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3518.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3518.json deleted file mode 100644 index bafd784f171..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3518.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "title": "Zero should not be a possible denominator", - "type": "BUG", - "code": { - "impacts": { - "RELIABILITY": "HIGH" - }, - "attribute": "LOGICAL" - }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "5 min" - }, - "tags": [ - "cwe", - "denial-of-service", - "cert", - "symbolic-execution" - ], - "defaultSeverity": "Critical", - "ruleSpecification": "RSPEC-3518", - "sqKey": "S3518", - "scope": "All", - "securityStandards": { - "CERT": [ - "NUM02-J.", - "INT33-C." - ], - "CWE": [ - 369 - ], - "STIG ASD 2023-06-08": [ - "V-222612" - ] - }, - "quickfix": "infeasible" -} diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6373.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6373.html deleted file mode 100644 index afe3d20dc89..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6373.html +++ /dev/null @@ -1,104 +0,0 @@ -

XML standard allows the inclusion of XML files with the xinclude element. When an XML parser component is set up with the -http://apache.org/xml/features/xinclude feature, it will follow the standard and allow the inclusion of remote files.

-

Why is this an issue?

-

When the XML parser will encounter an xinclude element, it will try to load the file pointed to by the href attribute -into the document. Included files can either be local files found on the file system of the application server, or remote files that are downloaded -over HTTP, SMB, or other protocols, depending on the capabilities of the application and server.

-

The files that can be accessed that way are only limited by the entitlement of the application on the local system and the network filtering the -server is subject to.

-

This issue is particularly severe when the XML parser is used to parse untrusted documents. For example, when user-submitted XML messages are -parsed that way.

-

What is the potential impact?

-

Allowing the inclusion of arbitrary files in XML documents can have two main consequences depending on what type of file is included: local or -remote.

-

Sensitive file disclosure

-

If the application allows the inclusion of arbitrary files through the use of the xinclude element, it might be used to disclose -arbitrary files from the local file system. Depending on the application’s permissions on the file system, configuration files, runtime secrets, or -Personally Identifiable Information could be leaked.

-

This is particularly true if the affected parser is used to process untrusted XML documents.

-

Server-side request forgery

-

When used to retrieve remote files, the application will send network requests to remote hosts. Moreover, it will do so from its current network -location, which can have severe consequences if the application server is located on a sensitive network, such as the company corporate network or a -DMZ hosting other applications.

-

Attackers exploiting this issue could try to access internal backend services or corporate file shares. It could allow them to access more -sensitive files, bypass authentication mechanisms from frontend applications, or exploit further vulnerabilities in the local services. Note that, in -some cases, the requests sent from the application can be automatically authenticated on federated locations. This is often the case in Windows -environments when using Active Directory federated authentication.

-

How to fix it in Java SE

-

Code examples

-

The following code is vulnerable because it explicitly enables the xinclude feature.

-

Noncompliant code example

-
-import javax.xml.parsers.SAXParserFactory;
-
-SAXParserFactory factory = SAXParserFactory.newInstance();
-
-factory.setXIncludeAware(true); // Noncompliant
-factory.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
-
-

Compliant solution

-
-import javax.xml.parsers.SAXParserFactory;
-
-SAXParserFactory factory = SAXParserFactory.newInstance();
-
-factory.setXIncludeAware(false);
-factory.setFeature("http://apache.org/xml/features/xinclude", false);
-
-

How to fix it in Dom4j

-

Code examples

-

The following code is vulnerable because it explicitly enables the xinclude feature.

-

Noncompliant code example

-
-import org.dom4j.io.SAXReader;
-
-SAXReader xmlReader = new SAXReader();
-xmlReader.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
-
-

Compliant solution

-
-import org.dom4j.io.SAXReader;
-
-SAXReader xmlReader = new SAXReader();
-xmlReader.setFeature("http://apache.org/xml/features/xinclude", false);
-
-

How to fix it in Jdom2

-

Code examples

-

The following code is vulnerable because it explicitly enables the xinclude feature.

-

Noncompliant code example

-
-import org.jdom2.input.SAXBuilder;
-
-SAXBuilder builder = new SAXBuilder();
-builder.setFeature("http://apache.org/xml/features/xinclude", true); // Noncompliant
-
-

Compliant solution

-
-import org.jdom2.input.SAXBuilder;
-
-SAXBuilder builder = new SAXBuilder();
-builder.setFeature("http://apache.org/xml/features/xinclude", false);
-
-

How does this work?

-

The compliant code example explicitly prevents the inclusion of files in XML documents by setting the -http://apache.org/xml/features/xinclude feature property to false.

-

Resources

-

Documentation

- -

Standards

- - diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6373.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6373.json deleted file mode 100644 index 1574a93f442..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6373.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "title": "XML parsers should not allow inclusion of arbitrary files", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "HIGH" - }, - "attribute": "CONVENTIONAL" - }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "15min" - }, - "tags": [ - "symbolic-execution" - ], - "defaultSeverity": "Blocker", - "ruleSpecification": "RSPEC-6373", - "sqKey": "S6373", - "scope": "Main", - "securityStandards": { - "CWE": [ - 611, - 827 - ], - "OWASP": [ - "A4" - ], - "OWASP Top 10 2021": [ - "A5" - ], - "PCI DSS 3.2": [ - "6.5.1" - ], - "PCI DSS 4.0": [ - "6.2.4" - ], - "ASVS 4.0": [ - "5.5.2" - ], - "STIG ASD 2023-06-08": [ - "V-222608" - ] - }, - "quickfix": "infeasible" -} diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6376.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6376.html deleted file mode 100644 index fedac9b9425..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6376.html +++ /dev/null @@ -1,96 +0,0 @@ -

XML parsers Denial of Service attacks target XML parsers, which are software components responsible for parsing and interpreting XML documents.

-

Why is this an issue?

-

XML files are complex data structures. When a malicious user is able to submit an XML file, it triggers complex processing that may overwhelm the -parser. Most of the time, those complex processing are enabled by default, and XML parsers do not take preventive measures against Denial of Service -attacks.

-

What is the potential impact?

-

When an attacker successfully exploits the vulnerability, it can lead to a Denial of Service (DoS) condition.

-

System Unavailability

-

Affected system becomes unresponsive or crashes, rendering it unavailable to legitimate users. This can have severe consequences, especially for -critical systems that rely on continuous availability, such as web servers, APIs, or network services.

-

Amplification Attacks

-

In some cases, XML parsers Denial of Service attacks can be used as a part of larger-scale amplification attacks. By leveraging the vulnerability, -attackers can generate a disproportionately large response from the targeted system, amplifying the impact of their attack. This can result in -overwhelming network bandwidth and causing widespread disruption.

-

How to fix it in Java SE

-

Code examples

-

Noncompliant code example

-
-import javax.xml.parsers.DocumentBuilderFactory;
-
-DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
-
-

Compliant solution

-
-import javax.xml.parsers.DocumentBuilderFactory;
-
-DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-
-

How to fix it in Dom4j

-

Code examples

-

Noncompliant code example

-
-import org.dom4j.io.SAXReader;
-
-SAXReader xmlReader = new SAXReader();
-xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
-
-

Compliant solution

-
-import org.dom4j.io.SAXReader;
-
-SAXReader xmlReader = new SAXReader();
-xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-
-

How to fix it in Jdom2

-

Code examples

-

Noncompliant code example

-
-import org.jdom2.input.SAXBuilder;
-
-SAXBuilder builder = new SAXBuilder();
-builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);  // Noncompliant
-
-

Compliant solution

-
-import org.jdom2.input.SAXBuilder;
-
-SAXBuilder builder = new SAXBuilder();
-builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-
-

Resources

-

Documentation

- -

Standards

- - diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6376.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6376.json deleted file mode 100644 index 71c531bc225..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6376.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "title": "XML parsers should not be vulnerable to Denial of Service attacks", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "MEDIUM" - }, - "attribute": "COMPLETE" - }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "15min" - }, - "tags": [ - "symbolic-execution" - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6376", - "sqKey": "S6376", - "scope": "Main", - "securityStandards": { - "CWE": [ - 776 - ], - "OWASP": [ - "A4" - ], - "OWASP Top 10 2021": [ - "A5" - ], - "STIG ASD 2023-06-08": [ - "V-222593", - "V-222608", - "V-222667" - ] - }, - "quickfix": "infeasible" -} diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6377.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6377.html deleted file mode 100644 index 6560c6b1ddf..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6377.html +++ /dev/null @@ -1,65 +0,0 @@ -

XML signatures are a method used to ensure the integrity and authenticity of XML documents. However, if XML signatures are not validated securely, -it can lead to potential vulnerabilities.

-

Why is this an issue?

-

Before Java 17, XML Digital Signature API does not apply restrictions on XML signature validation unless the application runs with a security -manager, which is rare.

-

What is the potential impact

-

By not enforcing secure validation, the XML Digital Signature API is more susceptible to attacks such as signature spoofing and injections.

-

Increased Vulnerability to Signature Spoofing

-

By disabling secure validation, the application becomes more susceptible to signature spoofing attacks. Attackers can potentially manipulate the -XML signature in a way that bypasses the validation process, allowing them to forge or tamper with the signature. This can lead to the acceptance of -invalid or maliciously modified signatures, compromising the integrity and authenticity of the XML documents.

-

Risk of Injection Attacks

-

Disabling secure validation can expose the application to injection attacks. Attackers can inject malicious code or entities into the XML document, -taking advantage of the weakened validation process. In some cases, it can also expose the application to denial-of-service attacks. Attackers can -exploit vulnerabilities in the validation process to cause excessive resource consumption or system crashes, leading to service unavailability or -disruption.

-

How to fix it in Java SE

-

Code examples

-

For versions of Java before 17, secure validation is disabled by default unless the application runs with a security manager, which is rare. It -should be enabled explicitly by setting the org.jcp.xml.dsig.secureValidation attribute to true with the -javax.xml.crypto.dsig.dom.DOMValidateContext.setProperty method.

-

For Java 17 and higher, secure validation is enabled by default.

-

Noncompliant code example

-
-NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
-
-XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
-DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0)); // Noncompliant
-XMLSignature signature = fac.unmarshalXMLSignature(valContext);
-
-boolean signatureValidity = signature.validate(valContext);
-
-

Compliant solution

-
-NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
-
-XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
-DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0));
-valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
-XMLSignature signature = fac.unmarshalXMLSignature(valContext);
-
-boolean signatureValidity = signature.validate(valContext);
-
-

How does this work?

-

When XML Signature secure validation mode is enabled, XML Signatures are processed more securely. It enforces a number of restrictionsto to protect -from XML Documents that may contain hostile constructs that can cause denial-of-service or other types of security issues.

-

These restrictions can protect you from XML Signatures that may contain potentially hostile constructs that can cause denial-of-service or other -types of security issues.

-

Resources

-

Documentation

- -

Standards

- - diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6377.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6377.json deleted file mode 100644 index 48e9387c884..00000000000 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6377.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "title": "XML signatures should be validated securely", - "type": "VULNERABILITY", - "code": { - "impacts": { - "SECURITY": "MEDIUM" - }, - "attribute": "CONVENTIONAL" - }, - "status": "ready", - "remediation": { - "func": "Constant\/Issue", - "constantCost": "15min" - }, - "tags": [ - "symbolic-execution" - ], - "defaultSeverity": "Major", - "ruleSpecification": "RSPEC-6377", - "sqKey": "S6377", - "scope": "Main", - "securityStandards": { - "CWE": [ - 347 - ], - "OWASP": [ - "A3" - ], - "OWASP Top 10 2021": [ - "A2" - ], - "STIG ASD 2023-06-08": [ - "V-222608" - ] - }, - "quickfix": "infeasible" -}