# Improper Restriction of XML External Entity Reference (CWE-611)

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

**Stack:** Go

- Prevalence: Mittel 3 Sprachen abgedeckt
- Impact: Hoch 3 Regeln mit hohem Schweregrad
- Prevention: Dokumentiert 3 Fix-Beispiele

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.

## Prevention

Präventionsstrategien für XML External Entity (XXE) basierend auf 1 Shoulder-Erkennungsregeln.

### Go

Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth

## Consequences

- Anwendungsdaten lesen
- Dateien oder Verzeichnisse lesen
- DoS

## Mitigations

- Verarbeitung externer Entitäten in XML-Parsern deaktivieren
- Wenn möglich, weniger komplexe Datenformate wie JSON verwenden
- XML-Eingaben validieren und bereinigen

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **XML External Entity (XXE) Injection** [HIGH]: User-controlled XML parsed without disabling external entities.
  - Remediation: Go's encoding/xml is safe by default. Reject XML with DOCTYPE declarations.

```go
if bytes.Contains(body, []byte("<!DOCTYPE")) {
    return errors.New("DOCTYPE not allowed")
}
var data MyStruct
xml.Unmarshal(body, &data)
```

Learn more: https://shoulder.dev/learn/go/cwe-611/xxe