XSLT transformation with user-controlled stylesheet¶
ID: java/xslt-injectionKind: path-problemSecurity severity: 9.8Severity: errorPrecision: highTags: - security - external/cwe/cwe-074Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.
Recommendation¶
The general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.
Example¶
In the following examples, the code accepts an XSLT stylesheet from the user and processes it.
In the first example, the user-provided XSLT stylesheet is parsed and processed.
In the second example, secure processing mode is enabled.
importjavax.xml.XMLConstants;importjavax.xml.transform.TransformerFactory;importjavax.xml.transform.stream.StreamResult;importjavax.xml.transform.stream.StreamSource;publicvoidtransform(Socketsocket,StringinputXml)throwsException{StreamSourcexslt=newStreamSource(socket.getInputStream());StreamSourcexml=newStreamSource(newStringReader(inputXml));StringWriterresult=newStringWriter();TransformerFactoryfactory=TransformerFactory.newInstance();// BAD: User provided XSLT stylesheet is processedfactory.newTransformer(xslt).transform(xml,newStreamResult(result));// GOOD: The secure processing mode is enabledfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,true);factory.newTransformer(xslt).transform(xml,newStreamResult(result));}
References¶
Wikipedia:XSLT.
The Java Tutorials:Transforming XML Data with XSLT.
Common Weakness Enumeration:CWE-74.