Deploying to gh-pages from @ cdf572b 🚀

SonarSource · Sep 29, 2023 · 20b34cc · 20b34cc
1 parent 6449687
commit 20b34cc
Show file tree

Hide file tree

Showing 3 changed files with 221 additions and 95 deletions.
diff --git a/rules/S6376/default-description.html b/rules/S6376/default-description.html
@@ -1,117 +1,180 @@
 <div class="sect1">
 <h2 id="_description">Description</h2>
 <div class="sectionbody">
-
+<div class="paragraph">
+<p>XML parsers Denial of Service attacks target XML parsers, which are software components responsible for parsing and interpreting XML documents.</p>
+</div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="_why_is_this_an_issue">Why is this an issue?</h2>
 <div class="sectionbody">
 <div class="paragraph">
-<p>An XML bomb / <a href="https://en.wikipedia.org/wiki/Billion_laughs_attack">billion laughs</a> attack is a malicious XML document containing the same large entity repeated over and over again. If no restrictions is in place, such a limit on the number of entity expansions, the XML processor can consume a lot memory and time during the parsing of such documents leading to Denial of Service.</p>
+<p>XML files are complex data structures. When a malicious user is able to submit an XML file, it triggers complex processing that may overwhelm the parser. Most of the time, those complex processing are enabled by default, and XML parsers do not take preventive measures against Denial of Service attacks.</p>
+</div>
+<div class="sect2">
+<h3 id="_what_is_the_potential_impact">What is the potential impact?</h3>
+<div class="paragraph">
+<p>When an attacker successfully exploits the vulnerability, it can lead to a Denial of Service (DoS) condition.</p>
+</div>
 </div>
 <div class="sect2">
-<h3 id="_noncompliant_code_example">Noncompliant code example</h3>
+<h3 id="_system_unavailability">System Unavailability</h3>
 <div class="paragraph">
-<p>For <a href="https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html">DocumentBuilder</a>, <a href="https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html">SAXParser</a> and <a href="https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html">Schema</a> and <a href="https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html">Transformer</a> JAPX factories:</p>
+<p>Affected system becomes unresponsive or crashes, rendering it unavailable to legitimate users. This can have severe consequences, especially for critical systems that rely on continuous availability, such as web servers, APIs, or network services.</p>
+</div>
 </div>
+<div class="sect2">
+<h3 id="_amplification_attacks">Amplification Attacks</h3>
+<div class="paragraph">
+<p>In some cases, XML parsers Denial of Service attacks can be used as a part of larger-scale amplification attacks. By leveraging the vulnerability, attackers can generate a disproportionately large response from the targeted system, amplifying the impact of their attack. This can result in overwhelming network bandwidth and causing widespread disruption.</p>
+</div>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_how_to_fix_it_in_java_se">How to fix it in Java SE</h2>
+<div class="sectionbody">
+<div class="sect2">
+<h3 id="_code_examples">Code examples</h3>
+<div class="sect3">
+<h4 id="_noncompliant_code_example">Noncompliant code example</h4>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-java" data-lang="java">DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
-
-SAXParserFactory factory = SAXParserFactory.newInstance();
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
-
-SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant
+<pre class="highlight"><code class="language-java" data-lang="java">import javax.xml.parsers.DocumentBuilderFactory;
 
-TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
+DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant</code></pre>
 </div>
 </div>
-<div class="paragraph">
-<p>For <a href="https://dom4j.github.io/">Dom4j</a> library:</p>
 </div>
+<div class="sect3">
+<h4 id="_compliant_solution">Compliant solution</h4>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-java" data-lang="java">SAXReader xmlReader = new SAXReader();
-xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant</code></pre>
+<pre class="highlight"><code class="language-java" data-lang="java">import javax.xml.parsers.DocumentBuilderFactory;
+
+DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);</code></pre>
 </div>
 </div>
-<div class="paragraph">
-<p>For <a href="http://www.jdom.org/">Jdom2</a> library:</p>
 </div>
-<div class="listingblock">
-<div class="content">
-<pre class="highlight"><code class="language-java" data-lang="java">SAXBuilder builder = new SAXBuilder();
-builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);  // Noncompliant</code></pre>
 </div>
 </div>
 </div>
+<div class="sect1">
+<h2 id="_how_to_fix_it_in_dom4j">How to fix it in Dom4j</h2>
+<div class="sectionbody">
 <div class="sect2">
-<h3 id="_compliant_solution">Compliant solution</h3>
-<div class="paragraph">
-<p>For <a href="https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/DocumentBuilderFactory.html">DocumentBuilder</a>, <a href="https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html">SAXParser</a> and <a href="https://docs.oracle.com/javase/9/docs/api/javax/xml/validation/SchemaFactory.html">Schema</a> and <a href="https://docs.oracle.com/javase/9/docs/api/javax/xml/transform/TransformerFactory.html">Transformer</a> JAPX factories:</p>
-</div>
+<h3 id="_code_examples_2">Code examples</h3>
+<div class="sect3">
+<h4 id="_noncompliant_code_example_2">Noncompliant code example</h4>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-java" data-lang="java">DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-
-SAXParserFactory factory = SAXParserFactory.newInstance();
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+<pre class="highlight"><code class="language-java" data-lang="java">import org.dom4j.io.SAXReader;
 
-SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-
-TransformerFactory factory = javax.xml.transform.TransformerFactory.newInstance();
-factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);</code></pre>
+SAXReader xmlReader = new SAXReader();
+xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); // Noncompliant</code></pre>
 </div>
 </div>
-<div class="paragraph">
-<p>For <a href="https://dom4j.github.io/">Dom4j</a> library:</p>
 </div>
+<div class="sect3">
+<h4 id="_compliant_solution_2">Compliant solution</h4>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-java" data-lang="java">SAXReader xmlReader = new SAXReader();
+<pre class="highlight"><code class="language-java" data-lang="java">import org.dom4j.io.SAXReader;
+
+SAXReader xmlReader = new SAXReader();
 xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);</code></pre>
 </div>
 </div>
-<div class="paragraph">
-<p>For <a href="http://www.jdom.org/">Jdom2</a> library:</p>
 </div>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_how_to_fix_it_in_jdom2">How to fix it in Jdom2</h2>
+<div class="sectionbody">
+<div class="sect2">
+<h3 id="_code_examples_3">Code examples</h3>
+<div class="sect3">
+<h4 id="_noncompliant_code_example_3">Noncompliant code example</h4>
 <div class="listingblock">
 <div class="content">
-<pre class="highlight"><code class="language-java" data-lang="java">SAXBuilder builder = new SAXBuilder();
+<pre class="highlight"><code class="language-java" data-lang="java">import org.jdom2.input.SAXBuilder;
+
+SAXBuilder builder = new SAXBuilder();
+builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);  // Noncompliant</code></pre>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_compliant_solution_3">Compliant solution</h4>
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code class="language-java" data-lang="java">import org.jdom2.input.SAXBuilder;
+
+SAXBuilder builder = new SAXBuilder();
 builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);</code></pre>
 </div>
 </div>
 </div>
 </div>
 </div>
+</div>
 <div class="sect1">
 <h2 id="_resources">Resources</h2>
 <div class="sectionbody">
+<div class="sect2">
+<h3 id="_documentation">Documentation</h3>
 <div class="ulist">
 <ul>
 <li>
-<p><a href="https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-8CD65EF5-D113-4D5C-A564-B875C8625FAC">Oracle Java Documentation</a> - XML External Entity Injection Attack</p>
+<p>Java Documentation - <a href="https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/DocumentBuilderFactory.html">DocumentBuilderFactory Class</a></p>
+</li>
+<li>
+<p>Java Documentation - <a href="https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/SAXParserFactory.html">SAXParserFactory Class</a></p>
 </li>
 <li>
-<p><a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)">OWASP Top 10 2017 Category A4</a> - XML External Entities (XXE)</p>
+<p>Java Documentation - <a href="https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/validation/SchemaFactory.html">SchemaFactory Class</a></p>
 </li>
 <li>
-<p><a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java">OWASP XXE Prevention Cheat Sheet</a></p>
+<p>Java Documentation - <a href="https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/transform/TransformerFactory.html">TransformerFactory Class</a></p>
 </li>
 <li>
-<p><a href="https://cwe.mitre.org/data/definitions/776">MITRE, CWE-776</a> - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')</p>
+<p>Java Documentation - <a href="https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html">Java API for XML Processing (JAXP) Security Guide</a></p>
+</li>
+<li>
+<p>Dom4j Documentation - <a href="https://dom4j.github.io/javadoc/2.1.4/org/dom4j/io/SAXReader.html">SAXReader Class</a></p>
+</li>
+<li>
+<p>Jdom2 Documentation - <a href="http://www.jdom.org/docs/apidocs/org/jdom2/input/SAXBuilder.html">SAXBuilder class</a></p>
+</li>
+<li>
+<p>OWASP - <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java">XXE Prevention Cheat Sheet</a></p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_standards">Standards</h3>
+<div class="ulist">
+<ul>
+<li>
+<p>OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">OWASP Top 10 2021 Category A5 - Security Misconfiguration</a></p>
+</li>
+<li>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)">OWASP Top 10 2017 Category A4 - XML External Entities (XXE)</a></p>
+</li>
+<li>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/776">CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')</a></p>
 </li>
 </ul>
 </div>
 <hr>
 </div>
 </div>
+</div>
 <div class="sect1">
 <h2 id="_implementation_specification">Implementation Specification</h2>
 <div class="sectionbody">