SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 76

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 77

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added schema CS

...

Code Block
bgColor#FFcccc
private void createXMLStream(BufferedOutputStream outStream, String quantity)
             throws IOException {
  String xmlString;
  xmlString = "<item>\n<description>Widget</description>\n<price>500.0</price>\n" +
              "<quantity>" + quantity + "</quantity></item>";
  outStream.write(xmlString.getBytes());
  outStream.flush();
}

...

Code Block
bgColor#ccccff
private void createXMLStream(BufferedOutputStream outStream, String quantity)
             throws IOException {
  // Write XML string if quantity contains numbers only (whitelisting)
  // Blacklisting of invalid characters can also be done in conjunction

  if (!Pattern.matches("[0-9]+", quantity)) {
    // Format violation
  }

  String xmlString = "<item>\n<description>Widget</description>\n<price>500</price>\n" +
                     "<quantity>" + quantity + "</quantity></item>";
  outStream.write(xmlString.getBytes());
  outStream.flush();
}

Compliant Solution (XML Schema)

A more general mechanism for checking XML for attempted injection is to validate it using a DTD or schema. The schema must be rigidly defined to prevent injections from being mistaken for valid XML. Here is a suitable schema for validating our XML snippet:

Code Block
bgColor#ccccff

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="item">
  <xs:complexType>
    <xs:sequence>
      <xs:element name="description" type="xs:string"/>
      <xs:element name="price" type="xs:decimal"/>
      <xs:element name="quantity" type="xs:integer"/>      
    </xs:sequence>
  </xs:complexType>
</xs:element>
</xs:schema>

This compliant code example employs this schema to prevent XML injection from succeeding. The schema is avaialble as the file schema.xsd.

Code Block
bgColor#ccccff

private void createXMLStream(BufferedOutputStream outStream, String quantity)
             throws IOException {
  String xmlString;
  xmlString = "<item>\n<description>Widget</description>\n<price>500.0</price>\n" +
    "<quantity>" + quantity + "</quantity></item>";
  InputSource xmlStream = new InputSource(new StringReader(xmlString));

  // Build a validating SAX parser using our schema
  SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
  DefaultHandler defHandler = new DefaultHandler() {
      public void warning(SAXParseException s) throws SAXParseException {throw s;}
      public void error(SAXParseException s) throws SAXParseException {throw s;}
      public void fatalError(SAXParseException s) throws SAXParseException {throw s;}
    };
  StreamSource ss = new StreamSource(new File("schema.xsd"));
  try {
    Schema schema = sf.newSchema(ss);
    SAXParserFactory spf = SAXParserFactory.newInstance();
    spf.setSchema(schema);
    SAXParser saxParser = spf.newSAXParser();
    // To set the custom entity resolver, an XML reader needs to be created
    XMLReader reader = saxParser.getXMLReader(); 
    reader.setEntityResolver(new CustomResolver());
    saxParser.parse(xmlStream, defHandler);
  } catch (ParserConfigurationException x) {
    throw new IOException("Unable to validate XML", x);
  } catch (SAXException x) {
    throw new IOException("Invalid quantity", x);
  }

  // "<quantity>"Our +XML quantityis + "</quantity></item>";valid, proceed
  outStream.write(xmlString.getBytes());
  outStream.flush();
}

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="501f32248eb6ba40-c33e0490-4b3b457b-b3d8b7cf-bd026788899c6a080bf89a2c"><ac:plain-text-body><![CDATA[

[[OWASP 2005

AA. Bibliography#OWASP 05]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3300cf077522751d-49c091f8-4f534b88-8e07b559-7f21e9a506e199fee410870c"><ac:plain-text-body><![CDATA[

[[OWASP 2007

AA. Bibliography#OWASP 07]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2a77e01f24b315a1-07b7faed-4c0a45e5-b772b09d-95a985796f3047b3c9b04f95"><ac:plain-text-body><![CDATA[

[[OWASP 2008

AA. Bibliography#OWASP 08]]

 

]]></ac:plain-text-body></ac:structured-macro>

Testing for XML Injection (OWASP-DV-008)

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="93b3a625f23bc27b-5bacb531-4f7741bb-88da978d-e2aab24e54777622d49ca78b"><ac:plain-text-body><![CDATA[

[[W3C 2008

AA. Bibliography#W3C 08]]

4.4.3 Included If Validating

]]></ac:plain-text-body></ac:structured-macro>

...