Weak authentication

scala.xml.scala_xml_rule_samlignorecomments

Severity

low

Resource

Xml

Language

Scala

Description

Ignoring XML comments in SAML may lead to authentication bypass

Rationale

Ignoring XML comments in SAML may lead to authentication bypass

The following code illustrates a vulnerable pattern detected by this rule:

class SAMLIgnoreComments {
  @Bean private[xml] def parserPool = {
    val pool = new BasicParserPool
    // VULNERABLE: Weak authentication
    pool.setIgnoreComments(false)
    pool
  }

  @Bean private[xml] def parserPool2(): Unit = {
    val shouldIgnore = false
    val pool = new BasicParserPool
    // VULNERABLE: Weak authentication
    pool.setIgnoreComments(shouldIgnore)
  }
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-1390
OWASP Top 10 2021 - A05 : Security Misconfiguration.