XML parsing vulnerable to XXE for TransformerFactory
ID: java-security/xml-parsing-xxe-transformer
Language: Java
Severity: Warning
Category: Security
CWE: 611
Description
Your code may be vulnerable XML if you process XML from an untrusted source. Make sure to enable secure processing when you process XML data.
For TransformerFactory
, make sure you set XMLConstants.FEATURE_SECURE_PROCESSING
to true.
Learn More
Non-Compliant Code Examples
class MyClass {
public void test() {
TransformerFactory factory = TransformerFactory.newInstance();
factory.newTransformer();
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.transform(input, result);
}
}
Compliant Code Examples
class MyClass {
public void test() {
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = factory.newTransformer();
}
}
Seamless integrations. Try Datadog Code Analysis