You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: java/ql/src/Security/CWE/CWE-611/XXE.qhelp
+5Lines changed: 5 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -27,6 +27,11 @@ If this is not possible you should disable the parsing of external general entit
27
27
This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
28
28
Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done
29
29
by default in recent JDK and JRE implementations.
30
+
31
+
Because there are many different ways to disable external entity retrieval with varying support between different providers,
32
+
in this query we choose to specifically check for the <ahref="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java">OWASP recommended way</a>
33
+
to disable external entity retrieval for a particular parser. There may be other ways of making a particular parser safe
34
+
which deviate from these guidelines, in which case this query will continue to flag the parser as potentially dangerous.
0 commit comments