Merge pull request #7229 from smowton/smowton/admin/document-xxe-sanitisation-policy

Document XXE sanitisation policy
2026-04-30 19:26:02 +02:00 · 2021-11-25 10:55:25 +01:00
parent d3da790191 120f2045cd
commit 609d6011a2
1 changed files with 5 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-611/XXE.qhelp
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.qhelp
@@ -27,6 +27,11 @@ If this is not possible you should disable the parsing of external general entit
 This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
 Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done
 by default in recent JDK and JRE implementations.
+
+Because there are many different ways to disable external entity retrieval with varying support between different providers,
+in this query we choose to specifically check for the <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java">OWASP recommended way</a>
+to disable external entity retrieval for a particular parser. There may be other ways of making a particular parser safe
+which deviate from these guidelines, in which case this query will continue to flag the parser as potentially dangerous.
 </p>
 </recommendation>