search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.75k stars 3.89k forks source link

Update: XML_External_Entity_Prevention_Cheat_Sheet.html#validator #1284

Closed cgocast closed 8 months ago

cgocast commented 8 months ago

What is missing or needs to be updated?

The sample to a protect a javax.xml.validation.Validator does not follow the recommendations given to protect a javax.xml.validation.SchemaFactory. The following lines are missing:

factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

How should this be resolved?

Add the two missing lines in the sample.

Add a link to [the documentation of newValidator()](https://docs.oracle.com/javase%2F7%2Fdocs%2Fapi%2F%2F/javax/xml/validation/Schema.html#newValidator()) which states:

Implementors should assure that the properties set on the SchemaFactory that created this Schema are also set on the Validator constructed.

mackowski commented 8 months ago

It is documented how to protect SchemaFactory https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#schemafactory

cgocast commented 8 months ago

Yes, I am aware. I am just saying that the sample given in https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#validator does not follow the recommendations you are linking to. In my opinion, OWASP Cheat Sheet should avoid giving code samples that are bad practice.

mackowski commented 8 months ago

Yes @cgocast good catch! Do you want to make a PR for this one?

cgocast commented 8 months ago

Sure, I will write a PR.

mackowski commented 8 months ago

Awesome thanks!