Review

Detector:

Findbugs

Target:

project '

odata4j

' version

0.6

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-3
In File:	org/odata4j/stax2/domimpl/DomXMLFactoryProvider2.java
In Method:	createXMLEventReader(Reader)
Code with Finding:	`class DomXMLFactoryProvider2.DomXMLInputFactory2 { @Override public XMLEventReader2 createXMLEventReader(Reader reader) { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); try { DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(reader)); return new DomXMLEventReader2(document); } catch (Exception e) { throw Throwables.propagate(e); } } }`

Metadata

Hit	Rank	Desc	Type	Violations
Yes	3	SECXXEDOC: The use of DocumentBuilder.parse(...) is vulnerable to XML External Entity attacks	XXE_DOCUMENT

Reviewer Name:	anna
Comment:	https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet