In order to ensure that we avoid XXE attacks, I’d like to propose that we set some rules (enforced at the build level), so that we fail the build when one of the following construct is used:
DocumentBuilderFactory.newInstance(); SAXParserFactory.newInstance(); XMLInputFactory.newInstance(); javax.xml.transform.TransformerFactory.newInstance() SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); new SAXReader(); new SAXBuilder();
(this list comes from Sonarqube: Java static code analysis: XML parsers should not be vulnerable to XXE attack )
Instead, the idea would be to promote using a helper method from the XWiki Commons XML module (
XMLUtils for example). The idea is that these helper methods will be configured to be safe against XXE attacks and thus developers won’t be able to forget to protect against XXE attacks. Similar to what we already have at xwiki-commons/XMLUtils.java at a818817f33240c77ab07c5fcedd8b46e38305b09 · xwiki/xwiki-commons · GitHub
BTW I’m not very familiar with
LSParser and I don’t know if we can use this for all our XML to parse or if there are some constraints to consider.
In any case, at this point, this post is about whether we’re ok with the idea?
Next step would be to propose an API in the XML module and a rule implementation (decide if it’s a maven enforcer, a checkstyle rule, a Spoon rule, etc).