xmlinputfactory-dtd-enabled-scala

ESS-ENN · ESS-ENN · commit 650b88b98196 · 2024-09-05T17:09:27.000+05:30
diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml
@@ -0,0 +1,25 @@
+id: xmlinputfactory-dtd-enabled-scala
+language: scala
+severity: warning
+message: >-
+      XMLInputFactory being instantiated without calling the setProperty
+      functions that are generally used for disabling entity processing. User
+      controlled data in XML Document builder can result in XML Internal Entity
+      Processing vulnerabilities like the disclosure of confidential data,
+      denial of service, Server Side Request Forgery (SSRF), port scanning. Make
+      sure to disable entity processing functionality.
+note: >-
+  [CWE-611] Improper Restriction of XML External Entity.
+  [REFERENCES]
+      - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+    any:
+       - pattern: XMLInputFactory.newFactory($$$)
+       - pattern: XMLInputFactory.newInstance($$$)
+       - pattern: new XMLInputFactory($$$)
+precedes: 
+     not:
+      pattern: $XMLFACTORY.setProperty($MODE, false)
+constraints:
+      MODE:
+          regex: 'javax.xml.stream.isSupportingExternalEntities'
diff --git a/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml
@@ -0,0 +1,11 @@
+id: xmlinputfactory-dtd-enabled-scala
+snapshots:
+  ? |-
+    val factory = XMLInputFactory.newFactory()
+    val fileReader = new FileReader(file)
+    val fileReader = new FileReader(file)
+  : labels:
+    - source: XMLInputFactory.newFactory()
+      style: primary
+      start: 14
+      end: 42
diff --git a/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml b/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml
@@ -0,0 +1,11 @@
+id: xmlinputfactory-dtd-enabled-scala
+valid:
+  - |
+    val factory = XMLInputFactory.newInstance
+    factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false)
+    val fileReader = new FileReader(file)
+invalid:
+  - |
+    val factory = XMLInputFactory.newFactory()
+    val fileReader = new FileReader(file)
+    val fileReader = new FileReader(file)
