add new method

righettod · righettod · commit 076280514c64 · 2025-07-04T09:11:25.000+02:00
diff --git a/src/main/java/eu/righettod/SecurityUtils.java b/src/main/java/eu/righettod/SecurityUtils.java
@@ -46,6 +46,8 @@
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamReader;
 import javax.xml.stream.events.XMLEvent;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
 import java.awt.*;
 import java.awt.image.BufferedImage;
 import java.io.*;
@@ -1379,4 +1381,35 @@ public static UUID computeUUIDv7() {
         UUID uuidv7 = new UUID(high, low);
         return uuidv7;
     }
+
+    /**
+     * Ensure that an XSD file does not contain any include/import instruction (prevent exposure to SSRF).
+     *
+     * @param xsdFilePath Filename of the XSD file to check.
+     * @return True only if the file pass all validations.
+     * @see "https://portswigger.net/web-security/ssrf"
+     * @see "https://www.w3schools.com/Xml/el_import.asp"
+     * @see "https://www.w3schools.com/xml/el_include.asp"
+     * @see "https://www.linkedin.com/posts/righettod_appsec-appsecurity-java-activity-7344048434326188053-6Ru9"
+     * @see "https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/validation/SchemaFactory.html#setProperty(java.lang.String,java.lang.Object)"
+     */
+    public static boolean isXSDSafe(String xsdFilePath) {
+        boolean isSafe = false;
+        try {
+            File xsdFile = new File(xsdFilePath);
+            if (xsdFile.exists() && xsdFile.canRead() && xsdFile.isFile()) {
+                //Parse the XSD file, if an exception occur then it's imply that the XSD specified is not a valid ones
+                //Create an schema factory throwing Exception if a external schema is specified
+                SchemaFactory schemaFactory = SchemaFactory.newDefaultInstance();
+                schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+                //Parse the schema
+                Schema schema = schemaFactory.newSchema(xsdFile);
+                isSafe = (schema != null);
+            }
+        } catch (Exception e) {
+            isSafe = false;
+        }
+        return isSafe;
+    }
 }
diff --git a/src/test/java/eu/righettod/TestSecurityUtils.java b/src/test/java/eu/righettod/TestSecurityUtils.java
@@ -655,5 +655,19 @@ public void computeUUIDv7() {
             history.add(uuidStr);
         }
     }
+
+    @Test
+    public void isXSDSafe() {
+        List<String> unsafeFileList = Arrays.asList("test-xsd-with-external-schema-via-import.xsd", "test-xsd-with-external-schema-via-include.xsd");
+        unsafeFileList.forEach(f -> {
+            String testFile = getTestFilePath(f);
+            assertFalse(SecurityUtils.isXSDSafe(testFile), String.format(TEMPLATE_MESSAGE_FALSE_NEGATIVE_FOR_FILE, testFile));
+        });
+        List<String> safeFileList = Arrays.asList("test-xsd-no-external-schema.xsd");
+        safeFileList.forEach(f -> {
+            String testFile = getTestFilePath(f);
+            assertTrue(SecurityUtils.isXSDSafe(testFile), String.format(TEMPLATE_MESSAGE_FALSE_POSITIVE_FOR_FILE, testFile));
+        });
+    }
 }
 
diff --git a/src/test/resources/test-xsd-no-external-schema.xsd b/src/test/resources/test-xsd-no-external-schema.xsd
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.example.com/purchaseorder" elementFormDefault="qualified">
+	<xs:element name="orderId" type="xs:string"/>
+</xs:schema>
diff --git a/src/test/resources/test-xsd-with-external-schema-via-import.xsd b/src/test/resources/test-xsd-with-external-schema-via-import.xsd
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.example.com/purchaseorder" elementFormDefault="qualified">
+	<xs:import namespace="http://example.com/person" schemaLocation="https://righettod.eu/test.xsd"/>
+	<xs:element name="orderId" type="xs:string"/>
+</xs:schema>
diff --git a/src/test/resources/test-xsd-with-external-schema-via-include.xsd b/src/test/resources/test-xsd-with-external-schema-via-include.xsd
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.example.com/purchaseorder" elementFormDefault="qualified">
+	<xs:include schemaLocation="https://righettod.eu/test.xsd"/>
+	<xs:element name="orderId" type="xs:string"/>
+</xs:schema>

Original file line number	Diff line number	Diff line change
`@@ -655,5 +655,19 @@ public void computeUUIDv7() {`
`655`	`655`	`history.add(uuidStr);`
`656`	`656`	`}`
`657`	`657`	`}`
	`658`	`+`
	`659`	`+ @Test`
	`660`	`+ public void isXSDSafe() {`
	`661`	`+ List<String> unsafeFileList = Arrays.asList("test-xsd-with-external-schema-via-import.xsd", "test-xsd-with-external-schema-via-include.xsd");`
	`662`	`+ unsafeFileList.forEach(f -> {`
	`663`	`+ String testFile = getTestFilePath(f);`
	`664`	`+ assertFalse(SecurityUtils.isXSDSafe(testFile), String.format(TEMPLATE_MESSAGE_FALSE_NEGATIVE_FOR_FILE, testFile));`
	`665`	`+ });`
	`666`	`+ List<String> safeFileList = Arrays.asList("test-xsd-no-external-schema.xsd");`
	`667`	`+ safeFileList.forEach(f -> {`
	`668`	`+ String testFile = getTestFilePath(f);`
	`669`	`+ assertTrue(SecurityUtils.isXSDSafe(testFile), String.format(TEMPLATE_MESSAGE_FALSE_POSITIVE_FOR_FILE, testFile));`
	`670`	`+ });`
	`671`	`+ }`
`658`	`672`	`}`
`659`	`673`