1

I am using javax SchemaFactory to parse an XML file. I get a SonarLint warning "Disable access to external entities in XML parsing.". The warning goes away when adding two properties "ACCESS_EXTERNAL_DTD" and "ACCESS_EXTERNAL_SCHEMA". However, when parsing something I get the runtime error "Feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.". Why is it not recognized and how to fix this? My code:

import javax.xml.XMLConstants;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;

public class MinimalExample {

    public static void main(String[] args) {
        SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
        factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
    }
}

I don't understand why those properties are not recognized and don't know what else to try.

Improve this question
4
  • What is the implementation class of the SchemaFactory that is instantiated? My guess would be that it's a shim designed to wrap some underlying schema factory, and people who write such shims often overlook the need to recognize these standard properties. Commented May 7, 2024 at 17:05
  • Incidentally, if you are processing a schema from a source that you trust, then you can ignore these warnings, and if it's from a source that you don't trust, then you might have bigger problems. Unfortunately lint checkers are rather unsophisticated about such distinctions. Commented May 7, 2024 at 17:07
  • @MichaelKay The implementation class? As you see in imports its "javax", so it comes straight from Oracle. The schemes are trusted. The XML-files that are evaluated within those schemes are not. I can't ignore the message because the SonarQube analysis must be clear of such critical issues for this project. Is this message a warning about the scheme files or the XML files are that processed? Commented May 8, 2024 at 9:37
  • javax.xml.validation.Schema is an interface, not an implementation. The whole point of the newInstance() factory mechanism is that you pick up whatever implementation is available at run-time, which might not be Oracle's implementation. Quite honestly, SonarQube analysis is a waste of space: it's picking up that you're not setting some pretty weak security properties, but it's failing to pick up that you might be loading a fake schema processor from anywhere. Commented May 9, 2024 at 11:27
Related questions
1
How to fix sonar issue "Disable access to external entities in XML parsing" in Junits
1
How to check for external entities in a set of XML files
3
Validating an xml file using RELAX NG Schema in Java (IDE - Eclipse)
Load 1 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.