Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.xxe

Disable DTD and external entities on XMLInputFactory

`XMLInputFactory.newInstance()` and `XMLInputFactory.newFactory()` should set `SUPPORT_DTD` and `IS_SUPPORTING_EXTERNAL_ENTITIES` to false before reading untrusted XML.

#Metadata

Rule ID
java.security.xxe-xml-input-factory
Severity
high
Confidence
0.85
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
java, rules-catalog, security, stax, xxe

#Why it matters

StAX `XMLInputFactory` defaults expand DTDs and external entities; without explicit hardening the parser is vulnerable to XXE and external resource disclosure.

#Remediation

Set `XMLInputFactory.SUPPORT_DTD` and `XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES` to `false` before creating any reader.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.xxe-xml-input-factory.rule.yaml.

Back to directoryOpen rule in repository