CWE-112: Missing XML Validation

Description

The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.

Example Vulnerable Codes

Example - 1

The following code loads and parses an XML file.


// // Read DOM// 

...DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setValidating( false );....c_dom = factory.newDocumentBuilder().parse( xmlFile );...try {} catch(Exception ex) {}

The XML file is loaded without validating it against a known XML Schema or DTD.

Example - 2

The following code creates a DocumentBuilder object to be used in building an XML document.


DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();builderFactory.setNamespaceAware(true);DocumentBuilder builder = builderFactory.newDocumentBuilder();

The DocumentBuilder object does not validate an XML document against a schema, making it possible to create an invalid XML document.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-20: Improper Input Validation

Go to

CWE-1286: Improper Validation of Syntactic Correctness of Input

Go to

Visit http://cwe.mitre.org/ for more details.