Audit - Rules - XML FilesDescriptionThis group contains audit rules that look for problems in XML files. |
Rules: |
Summary
All XML data entering the program should be validated by a parser against a DTD or XML Schema.
Description
Validating incoming data against a predefined model leaves less space for errors that could be exploited by an attacker. All XML data entering the program should be validated either against a DTD (using factory's setValidating(true)
method), or against an XML Scheme (using factory's setSchema(Schema schema)
method), or using Java 5 javax.xml.validation
facilities.
Security Implications
Exploits in the data model can be used by an attacker to perform an injection attack.
Example
The following code does not use any of validation techniques before accessing and using DOM data and would thus be marked as violation:
DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(url).getDocumentElement();