search

SwitchEV / RISE-V2G

The only fully-featured reference implementation of the Vehicle-2-Grid communication interface ISO 15118
MIT License
220 stars 92 forks source link

S2755: XML parsers should not be vulnerable to XXE attacks #49

Closed MatthiasOs closed 4 years ago

MatthiasOs commented 4 years ago

Hi,

for the fun of it I analyzed the repo with SonarLint and found two interesting blocker issues: XML parsers should not be vulnerable to XXE attacks (java:S2755)

OpenEXICodec#96 setSaxParserFactory(SAXParserFactory.newInstance()); EXIficientCodec#137 XMLReader xmlReader = XMLReaderFactory.createXMLReader();

I dont understand that much about xml parsing, but it looks like it maybe possible to inject entitys through the parsed xmls. Dont know if that is a use cases which is relevant though.

See https://rules.sonarsource.com/java/RSPEC-2755

MarcMueltin commented 4 years ago

Thanks, but I haven't heard of this being an issue, especially for the EV to charging station communication where you have no direct communication via the internet. If this ever results in an issue with ISO 15118, I'm willing to reopen the issue.