Scala Xxe Via Inputfactory
Description
Detects potential XML External Entity (XXE) vulnerabilities in Scala applications using XMLInputFactory. The vulnerability occurs when XMLInputFactory.createXMLStreamReader() is used without explicitly disabling external entity processing, which could allow an attacker to include malicious external entities in XML input.
Detection Strategy
• Identifies usage of javax.xml.stream.XMLInputFactory in the code imports
• Locates calls to createXMLStreamReader() method
• Checks if the XMLInputFactory instance is configured with secure parsing settings (like XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES set to false)
• Verifies if the input source (first argument) is properly sanitized against XXE attacks
• Reports a vulnerability if createXMLStreamReader is called with unsafe configuration and unsanitized input
Vulnerable code example
import javax.xml.stream.XMLInputFactory
import java.io.FileReader
def processXML(fileName: String): Unit = {
// Vulnerable: XMLInputFactory created without disabling DTD processing
val factory = XMLInputFactory.newFactory()
val reader = new FileReader(fileName)
val xmlReader = factory.createXMLStreamReader(reader)...✅ Secure code example
import javax.xml.stream.XMLInputFactory
import java.io.FileReader
def processXML(fileName: String): Unit = {
val factory = XMLInputFactory.newFactory()
// Disable DTD and external entity processing to prevent XXE attacks
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.