Audit - Rules - XML Files

Description
This group contains audit rules that look for problems in XML files.

Rules:

Details

Spell Check XML Attribute Names

Summary XML attribute names should be spelled correctly. Description This audit rule finds XML attribute names that contain misspelled words.

Spell Check XML Attribute Values

Summary XML attribute values should be spelled correctly. Description This audit rule finds XML attribute values that contain misspelled words.

Spell Check XML Body Text

Summary XML body text should be spelled correctly. Description This audit rule finds XML body text that contain misspelled words.

Spell Check XML Comments

Summary XML comments should be spelled correctly. Description This audit rule finds XML comments that contain misspelled words.

Spell Check XML Tag Names

Summary XML tag names should be spelled correctly. Description This audit rule finds XML tag names that contain misspelled words.

Validate XML

Summary
All XML data entering the program should be validated by a parser against a DTD or XML Schema.

Description
Validating incoming data against a predefined model leaves less space for errors that could be exploited by an attacker. All XML data entering the program should be validated either against a DTD (using factory's setValidating(true) method), or against an XML Scheme (using factory's setSchema(Schema schema) method), or using Java 5 javax.xml.validation facilities.

Security Implications
Exploits in the data model can be used by an attacker to perform an injection attack.

Example
The following code does not use any of validation techniques before accessing and using DOM data and would thus be marked as violation:

    DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(url).getDocumentElement();