An XML External Entity or XSLT External Entity (XXE) vulnerability can occur when a javax.xml.transform.Transformer is created without
enabling "Secure Processing" or when one is created without disabling external DTDs. If that external entity is hijacked by an attacker it may lead to
the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the
parser is located, and other system impacts.
This rule raises an issue when a Transformer is created without either of these settings.
Transformer transformer = TransformerFactory.newInstance().newTransformer(); transformer.transform(input, result);
TransformerFactory factory = TransformerFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); Transformer transformer = factory.newTransformer(); transformer.transform(input, result);
or
TransformerFactory factory = TransformerFactory.newInstance(); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = factory.newTransformer(); transformer.transform(input, result);