hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1666 from yh-semmle/java-xxe-qhelp

Browse Source 
Java: update XXE qhelp with note on processing limits
This commit is contained in:
Anders Schack-Mulligen
2019-08-01 10:01:53 +02:00
committed by GitHub
parent 2bc66ae553 dc45ba5627
commit 1a779179e7
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/Security/CWE/CWE-611/XXE.qhelp
View File

@@ -25,6 +25,8 @@ external entities. This query currently identifies vulnerable XML parsing from t
The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data.
If this is not possible you should disable the parsing of external general entities and external parameter entities.
This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done
by default in recent JDK and JRE implementations.
</p>
</recommendation>
@@ -64,6 +66,10 @@ Out-of-band data retrieval: Timur Yunusov &amp; Alexey Osipov, Black hat EU 2013
Denial of service attack (Billion laughs):
<a href="https://en.wikipedia.org/wiki/Billion_laughs">Billion Laughs.</a>
</li>
<li>
The Java Tutorials:
<a href="https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html">Processing Limit Definitions.</a>
</li>
</references>