P3
This is "fortify" issue and actually this is good idea to verify read xml files.
Sample description (by Fortify):
Abstract:
The method XMLReportReader() in XMLReportReader.java fails to enable validation before parsing XML on line 50, which gives an attacker the opportunity to supply malicious input.
Explanation:
Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.
Sample description (by Fortify):
Abstract:
The method XMLReportReader() in XMLReportReader.java fails to enable validation before parsing XML on line 50, which gives an attacker the opportunity to supply malicious input.
Explanation:
Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. It is not possible for an XML parser to validate all aspects of a document's content; a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-formed.
- relates to
-
CODETOOLS-7107961 XMLServiceReader - validate XML
-
- Closed
-