Merge pull request #213 from shivasurya/shiva/xxe-basic-rule

atlas/rule: add basic xxe rule for java xml parser

Author: shivasurya

docs/src/content/docs/atlas/index.mdx

@@ -32,7 +32,7 @@ import Footer from '../../../components/Footer.astro';
     <CardGrid>
       {/* Java Card */}
       <Card title="Java" icon="seti:java">
-        6 rules for Java applications
+        7 rules for Java applications
         <div>
           <a href="/atlas/java" class="view-docs-link">View Rules</a>
         </div>

docs/src/content/docs/atlas/java/index.mdx

@@ -21,7 +21,7 @@ To run these rules against your Java codebase:
 codepathfinder ci --project /src/project --ruleset cpf/java
 ```
 
-#### Rules (4)
+#### Rules (7)
 
 <RuleSearch placeholder="Search security rules and patterns..." />
 
@@ -117,6 +117,38 @@ SSLSocket socket = (SSLSocket) factory.createSocket("example.com", 443);`}
   </Card>
 </div>
 
+
+<div class="rule-card" data-severity="high" data-type="security" data-owasp="xml-external-entities">
+  <Card title="XML External Entity (XXE) Vulnerability" icon="warning">
+      <div class="description">
+      **Severity: High** | **OWASP: XML External Entities (XXE)**  
+      Identifies insecure XML parser configurations that could allow XXE attacks, potentially leading to data disclosure, denial of service, or server-side request forgery.
+      </div>
+      <div class="code-section">
+        <CollapsibleCode 
+            code={`
+// ❌ Vulnerable: Disabling protection
+DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+DocumentBuilder builder = dbf.newDocumentBuilder();
+
+// ✅ Safe: Properly configured XML parser
+DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+dbf.setXIncludeAware(false);
+dbf.setExpandEntityReferences(false);
+DocumentBuilder builder = dbf.newDocumentBuilder();`}
+            lang="java"
+            title="XML Parser Configuration Example"
+            marks={['Vulnerable', 'Vulnerable', 'Safe']}
+        />
+      </div>
+  </Card>
+</div>
+
+
 </div>
 
 For more information on using Code PathFinder with Java, see our [documentation](/overview).

pathfinder-rules/java/XMLExternalEntity.cql

@@ -0,0 +1,22 @@
+/**
+ * @name XXEConfig
+ * @description Detects insecure XML parsers and configurations that could lead to XXE attacks
+ * @kind problem
+ * @id java/XXEConfig
+ * @problem.severity warning
+ * @security-severity 8.0
+ * @precision high
+ * @tags security
+ * external/cwe/cwe-611
+ * @ruleprovider java
+ */
+
+FROM method_invocation AS mi
+WHERE mi.getName() == "setFeature" &&
+    ("http://xml.org/sax/features/external-parameter-entities" in mi.getArgumentName() &&
+     "true" in mi.getArgumentName()) ||
+    ("http://xml.org/sax/features/external-general-entities" in mi.getArgumentName() && 
+     "true" in mi.getArgumentName()) ||
+    ("http://apache.org/xml/features/disallow-doctype-decl" in mi.getArgumentName() &&
+     "false" in mi.getArgumentName())
+SELECT mi.getName(), "XML External Entity (XXE) attack vulnerability"

sourcecode-parser/cmd/ci_test.go

@@ -122,7 +122,7 @@ func TestLoadRules(t *testing.T) {
 			name:           "Local rules directory",
 			rulesDirectory: "../../pathfinder-rules",
 			isHosted:       false,
-			expectedRules:  12,
+			expectedRules:  13,
 			expectError:    false,
 		},
 		{

test-src/android/app/src/main/java/com/ivb/udacity/movieDetailFragment.java

@@ -173,6 +173,10 @@ protected void getTrailer(final LinearLayout youtubeViewHolder) {
             @Override
             public void success(movieYoutubeModal movieYoutubeModal, Response response) {
                 youtubeViewHolder.setPadding(5, 10, 5, 0);
+                DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+                dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+                dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
+                dbf.newDocumentBuilder();
                 com.ivb.udacity.modal.trailer.Results[] trailer = movieYoutubeModal.getResults();
                 if (trailer.length > 0) {
                     shareYoutubeID = trailer[0].getKey();
@@ -211,6 +215,14 @@ public void onClick(View v) {
                     errmsg.setLayoutParams(params);
                     errmsg.setText("That's Bad Luck,No Trailers Found!Check later");
                     youtubeViewHolder.addView(errmsg);
+
+                    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+                    dbf.setFeature("http://xml.org/sax/features/external-general-entities", true);
+                    dbf.newDocumentBuilder();
+
+                    DocumentBuilderFactory dbf2 = DocumentBuilderFactory.newInstance();
+                    dbf2.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
+                    dbf2.newDocumentBuilder();
                 }
             }