By DeepSource

SAML comment parsing should be disabled JAVA-S1062

a06 a07 cwe-287 sans top 25 owasp top 10 cwe-1390

Parsing SAML comments should be disabled in applications using OpenSAML2.

SAML uses XML to exchange authentication response. Due to the way XML comments are parsed in various libraries, it is possible to alter the authentication response in such a way that allows an attacker to have unauthorized access to someone else's account. For this reason, applications relying on SAML should always configure the parser so that comments are always ignored.

Bad Practice

<div class="highlight markdown-rendered">
<pre><span></span><code><span class="n">BasicParserPool</span><span class="w"> </span><span class="n">basicPool</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">BasicParserPool</span><span class="p">();</span><span class="w"></span>
<span class="n">basicPool</span><span class="p">.</span><span class="na">setIgnoreComments</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span><span class="w"></span>


In OpenSAML 2.0, the default behavior in all ParserPool implementations is to ignore the comments. Just remove statements that explicitly enable comment parsing in the source.