Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Veracode CWE id 611

Tags:

veracode

I have a piece of code where there is veracode finding for Improper Restriction of XML External Entity Reference ('XXE') Attack.

Code: 

Transformer transformer = TransformerFactory.newInstance().newTransformer();
        StreamResult result = new StreamResult(new StringWriter());
        DOMSource source = new DOMSource(node);
        transformer.transform(source, result); //CWE ID 611, impacted line.

I used 

transformer.setOutputProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformer.setOutputProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

but no luck.

like image 363
Ab_sin Avatar asked Oct 17 '25 19:10

Ab_sin

1 Answers

The issue got resolved with the following code:

        TransformerFactory transformer = TransformerFactory.newInstance();//.newTransformer();
        transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        transformer.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
        StreamResult result = new StreamResult(new StringWriter());
        DOMSource source = new DOMSource(node);
        transformer.newTransformer().transform(source, result);
like image 92
Ab_sin Avatar answered Oct 19 '25 13:10

Ab_sin

Sign in to Comment

Related questions

Avoid scanning third party libraries in Veracode
Prevent XSS in Spring MVC controller

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!