How to resolve HRA_JAVA_Improper_Restriction_of_XXE_Checkmarx scan issue at jaxbUnmarshaller.unmarshal(document) line

Question

Facing checkmarx scan issue HRA_JAVA_Improper_Restrection_of_XXE_Ref and is highlighting that "unmarshall is set to automatically load and replace any DTD entity reference in the XML, including references to external files"

private UserDetail populateUserDetail(String msg)//msg is part of user input throws JAXBException, IOException, SAXException, ParserConfigurationException
{
DocumentBuilderFactory dbf=DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
dbf.setValidating(true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities",false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities",false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
dbf.setExpandEntityReferences(false);
DocumentBuilder documentBuilder= dbf.newDocumentBuilder();
Document document = documentBuilder.parse(is);
final JAXBContext jaxbContext = JAXBContext.newInstance(UserDetail.class);
Unmarshaller jaxbUnmarshaller = jaxbContext.createUnmarshaller(0;
UserDetail userDetail = (UserDetail) jaxbUnmarshaller.unmarshal(document);
return userDetail;
}

Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. — Community, Aug 20 '23 at 02:04

How to resolve HRA_JAVA_Improper_Restriction_of_XXE_Checkmarx scan issue at jaxbUnmarshaller.unmarshal(document) line

0 Answers0