SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 79

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 80

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
private void createXMLStream(BufferedOutputStream outStream, String quantity)
             throws IOException {
  String xmlString;
  xmlString = "<item>\n<description>Widget</description>\n<price>500.0</price>\n" +
    "<quantity>" + quantity + "</quantity></item>";
  InputSource xmlStream = new InputSource(new StringReader(xmlString));

  // Build a validating SAX parser using our schema
  SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
  DefaultHandler defHandler = new DefaultHandler() {
      public void warning(SAXParseException s) throws SAXParseException {throw s;}
      public void error(SAXParseException s) throws SAXParseException {throw s;}
      public void fatalError(SAXParseException s) throws SAXParseException {throw s;}
    };
  StreamSource ss = new StreamSource(new File("schema.xsd"));
  try {
    Schema schema = sf.newSchema(ss);
    SAXParserFactory spf = SAXParserFactory.newInstance();
    spf.setSchema(schema);
    SAXParser saxParser = spf.newSAXParser();
    // To set the custom entity resolver, an XML reader needs to be created
    XMLReader reader = saxParser.getXMLReader(); 
    reader.setEntityResolver(new CustomResolver());
    saxParser.parse(xmlStream, defHandler);
  } catch (ParserConfigurationException x) {
    throw new IOException("Unable to validate XML", x);
  } catch (SAXException x) {
    throw new IOException("Invalid quantity", x);
  }

  // Our XML is valid, proceed
  outStream.write(xmlString.getBytes());
  outStream.flush();
}

Using a schema or DTD to validate XML is handy when receiving XML that may have been loaded with unsanitized input. If such an XML string has not yet been built, then sanitizing input before constructing XML will yield better performance.

XML External Entity Attacks (XXE)

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="808a6ae3386ad7f7-8ffa43c3-422643e1-b079b40d-bcd421e33e40e8e63c722b75"><ac:plain-text-body><![CDATA[

[[OWASP 2005

AA. Bibliography#OWASP 05]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3a3a789077fc588d-d7295f26-4fe64dd9-b3ca86b3-46612018a7a6af0264c3a9b9"><ac:plain-text-body><![CDATA[

[[OWASP 2007

AA. Bibliography#OWASP 07]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4490b89026477266-a1db31c9-459f4ca8-8c029f01-4382b4242a5c3648498ad5c5"><ac:plain-text-body><![CDATA[

[[OWASP 2008

AA. Bibliography#OWASP 08]]

 

]]></ac:plain-text-body></ac:structured-macro>

Testing for XML Injection (OWASP-DV-008)

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9f6cbf5713c51a26-a9203ab9-412c40f0-882ca26e-be8d5d5cf57f4c646575b9cb"><ac:plain-text-body><![CDATA[

[[W3C 2008

AA. Bibliography#W3C 08]]

4.4.3 Included If Validating

]]></ac:plain-text-body></ac:structured-macro>

...