3

Sonar proposes compliant solution for SchemaFactory as follows:

SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
// to be compliant, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or prohibit the use of all protocols by external entities:
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

It clearly says disable DOCTYPE declaration or prohibit the use of all protocols by external entities so I chose the 1st option. Sonar finding

Any clues how to fix this without setting external properties? Is it a bug in Sonar or am I missing something? I used newInstance() with specific factory class argument but I don't think it should influence the security rule.

makozaki
  • 3,772
  • 4
  • 23
  • 47
  • Try the second option. Documented properties are more reliable than an undocumented property. You may also want to add `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. – VGR Mar 15 '23 at 16:41
  • I checked all options and sonar only accepts solution with disabled `ACCESS_EXTERNAL_*` flags. In my case I can suppress the warning as I'm using schema from project resources. Nevertheless the description is misleading. – makozaki Mar 16 '23 at 08:04
  • I have many times written code with a comment like `// Make sonar happy`. Sonar has a lot of flaws. Secure XML processing is a good thing, but I can’t think of a justification for only accepting the doctype approach. – VGR Mar 16 '23 at 14:02

0 Answers0