I have a Fortify report which mentions an 'XML External Entity Injection' online (Transformer tFormer = tFactory.newTransformer()) in Java code and I made the below fixes to address this.
TransformerFactory tFactory = TransformerFactory.newInstance(); **//line where fortify flags the issue**
tFactory.setFeature("">xml.org/.../external-general-entities", false);
tFactory.setFeature("">xml.org/.../external-parameter-entities", false);
tFactory.setFeature("">apache.org/.../disallow-doctype-decl", true);
tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,"");
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer tFormer = tFactory.newTransformer(); **//line where fortify flags the issue**
However, even after these changes Fortify still reports the 'XML External Entity Injection' error.
While most sites including the owasp cheat sheet mention only the below settings would be sufficient.
TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Wanted to understand if the Fortify rules around the XXE detection are looking for some specific settings to be set on the parser apart from the above.
I have added these three lines mentioned below:
tFactory.setFeature("">xml.org/.../external-general-entities", false);
tFactory.setFeature("">xml.org/.../external-parameter-entities", false);
tFactory.setFeature("">apache.org/.../disallow-doctype-decl", true);
which is recommended by Fortify to solve it, but it still keeps flagging the issue.
And the below lines are already part of the code:
tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,"");
tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
How should I solve this?