669eaa7c65
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m2s
CI / OCR Service Tests (pull_request) Successful in 18s
CI / Backend Unit Tests (pull_request) Successful in 2m55s
CI / fail2ban Regex (pull_request) Successful in 42s
CI / Semgrep Security Scan (pull_request) Successful in 18s
CI / Compose Bucket Idempotency (pull_request) Successful in 59s
CI / Unit & Component Tests (push) Successful in 3m3s
CI / OCR Service Tests (push) Successful in 19s
CI / Backend Unit Tests (push) Successful in 2m56s
CI / fail2ban Regex (push) Successful in 40s
CI / Semgrep Security Scan (push) Successful in 17s
CI / Compose Bucket Idempotency (push) Successful in 59s
- Pin semgrep to 1.163.0 to prevent silent upgrades breaking the scan - Add cache: 'pip' to setup-python@v5 for faster CI runs - Promote all three XXE Semgrep rules from WARNING to ERROR to match the --error CI flag intent - Update SAX/StAX rule messages to reference XxeSafeXmlParser and the OWASP XXE prevention cheat sheet - Remove stale issue reference from regression test comment - Document XML metacharacter constraint on buildValidOds test helper Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
55 lines
2.3 KiB
YAML
55 lines
2.3 KiB
YAML
# Semgrep security rules for Familienarchiv backend.
|
|
# These rules catch the absence of XXE protection on XML parser factories.
|
|
# CWE-611: Improper Restriction of XML External Entity Reference.
|
|
# Run: semgrep --config .semgrep/security.yml --error backend/src/
|
|
|
|
rules:
|
|
|
|
# DocumentBuilderFactory without XXE hardening.
|
|
# All call sites must call setFeature("…disallow-doctype-decl", true) before use.
|
|
- id: dbf-xxe-default
|
|
patterns:
|
|
- pattern: $X = DocumentBuilderFactory.newInstance();
|
|
- pattern-not-inside: |
|
|
...
|
|
$X.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
...
|
|
message: >
|
|
DocumentBuilderFactory without XXE protection (CWE-611).
|
|
Call XxeSafeXmlParser.hardenedFactory() instead of DocumentBuilderFactory.newInstance().
|
|
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
|
|
languages: [java]
|
|
severity: ERROR
|
|
|
|
# SAXParserFactory without XXE hardening.
|
|
- id: sax-xxe-default
|
|
patterns:
|
|
- pattern: $X = SAXParserFactory.newInstance();
|
|
- pattern-not-inside: |
|
|
...
|
|
$X.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
...
|
|
message: >
|
|
SAXParserFactory without XXE protection (CWE-611).
|
|
Set disallow-doctype-decl=true, external-general-entities=false, external-parameter-entities=false,
|
|
and load-external-dtd=false before use. Follow the pattern in XxeSafeXmlParser.hardenedFactory().
|
|
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
|
|
languages: [java]
|
|
severity: ERROR
|
|
|
|
# XMLInputFactory without XXE hardening (StAX parser).
|
|
- id: stax-xxe-default
|
|
patterns:
|
|
- pattern: $X = XMLInputFactory.newInstance();
|
|
- pattern-not-inside: |
|
|
...
|
|
$X.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
|
...
|
|
message: >
|
|
XMLInputFactory without XXE protection (CWE-611).
|
|
Set IS_SUPPORTING_EXTERNAL_ENTITIES=false and SUPPORT_DTD=false before use.
|
|
Follow the pattern in XxeSafeXmlParser.hardenedFactory().
|
|
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
|
|
languages: [java]
|
|
severity: ERROR
|