XSLT transformation with user-controlled stylesheet¶
ID: java/xslt-injection
Kind: path-problem
Security severity: 9.8
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-074
Query suites:
- java-code-scanning.qls
- java-security-extended.qls
- java-security-and-quality.qls
Click to see the query in the CodeQL repository
XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.
Recommendation¶
The general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.
Example¶
In the following examples, the code accepts an XSLT stylesheet from the user and processes it.
In the first example, the user-provided XSLT stylesheet is parsed and processed.
In the second example, secure processing mode is enabled.
import javax.xml.XMLConstants;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
public void transform(Socket socket, String inputXml) throws Exception {
StreamSource xslt = new StreamSource(socket.getInputStream());
StreamSource xml = new StreamSource(new StringReader(inputXml));
StringWriter result = new StringWriter();
TransformerFactory factory = TransformerFactory.newInstance();
// BAD: User provided XSLT stylesheet is processed
factory.newTransformer(xslt).transform(xml, new StreamResult(result));
// GOOD: The secure processing mode is enabled
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.newTransformer(xslt).transform(xml, new StreamResult(result));
}
References¶
Wikipedia: XSLT.
The Java Tutorials: Transforming XML Data with XSLT.
Common Weakness Enumeration: CWE-74.