Java

Java

By DeepSource

SAML comment parsing should be disabled JAVA-S1062

Security

Parsing SAML comments should be disabled in applications using OpenSAML2.

SAML uses XML to exchange authentication response. Due to the way XML comments are parsed in various libraries, it is possible to alter the authentication response in such a way that allows an attacker to have unauthorized access to someone else's account. For this reason, applications relying on SAML should always configure the parser so that comments are always ignored.

Bad Practice

<div class="highlight markdown-rendered">
<pre><span></span><code><span class="n">BasicParserPool</span><span class="w"> </span><span class="n">basicPool</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">BasicParserPool</span><span class="p">();</span><span class="w"></span>
<span class="n">basicPool</span><span class="p">.</span><span class="na">setIgnoreComments</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span><span class="w"></span>
</code></pre>
</div>

Recommended

In OpenSAML 2.0, the default behavior in all ParserPool implementations is to ignore the comments. Just remove statements that explicitly enable comment parsing in the source.

References