BÊTA Shoulder est en bêta — Les résultats peuvent parfois être incorrects. Vos retours façonnent ce que nous corrigeons ensuite. Donner mon avis
📄

Improper Restriction of XML External Entity Reference

🛡️ 3 règles détectent ceci

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.

Prévalence
Moyenne
3 langages couverts
Impact
Élevé
3 règles de sévérité élevée
Prévention
Documentée
3 exemples de correctifs
2 Prévention
2 Prévention

Comment corriger cette vulnérabilité

Stratégies de prévention pour XML External Entity (XXE) basées sur 3 règles de détection Shoulder.

XML External Entity (XXE) Injection HIGH

Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth

+28 -15 go
  package main
  
  import (
-     "encoding/xml"
-     "io/ioutil"
-     "net/http"
- )
- 
- type Data struct {
-     XMLName xml.Name `xml:"data"`
-     Value   string   `xml:"value"`
- }
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     body, _ := ioutil.ReadAll(r.Body)
-     // Potentially vulnerable: parsing untrusted XML without DOCTYPE check
-     var data Data
-     xml.Unmarshal(body, &data)
+     "bytes"
+     "encoding/xml"
+     "errors"
+     "io/ioutil"
+     "net/http"
+ )
+ 
+ type Data struct {
+     XMLName xml.Name `xml:"data"`
+     Value   string   `xml:"value"`
+ }
+ 
+ func safeXMLUnmarshal(body []byte, v interface{}) error {
+     // Defense in depth: reject XML with DOCTYPE declarations
+     if bytes.Contains(body, []byte("<!DOCTYPE")) ||
+         bytes.Contains(body, []byte("<!ENTITY")) {
+         return errors.New("DOCTYPE/ENTITY declarations not allowed")
+     }
+     return xml.Unmarshal(body, v)
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     body, _ := ioutil.ReadAll(r.Body)
+     var data Data
+     if err := safeXMLUnmarshal(body, &data); err != nil {
+         http.Error(w, "Invalid XML", 400)
+         return
+     }
      w.Write([]byte(data.Value))
  }
  
XML External Entity (XXE) Injection HIGH

Disable external entity processing in XML parsers or use JSON instead of XML

+15 -7 javascript
  const express = require('express');
- const libxmljs = require('libxmljs');
- const app = express();
- 
- app.post('/parse', (req, res) => {
-   const xmlContent = req.body.xml;
-   const doc = libxmljs.parseXml(xmlContent);
-   res.json({ root: doc.root().name() });
+ const { XMLParser } = require('fast-xml-parser');
+ const app = express();
+ 
+ const parser = new XMLParser({
+   processEntities: false,
+   allowBooleanAttributes: true,
+ });
+ 
+ app.post('/parse', (req, res) => {
+   try {
+     const result = parser.parse(req.body.xml);
+     res.json(result);
+   } catch (e) {
+     res.status(400).json({ error: 'Invalid XML' });
+   }
  });
  
XML External Entity (XXE) Injection HIGH

Use defusedxml instead of standard XML parsers for untrusted input

+10 -7 python
- from lxml import etree
- from flask import request
- 
- @app.route('/api/xml', methods=['POST'])
- def parse_xml():
-     root = etree.fromstring(request.data)
-     return {'name': root.find('name').text}
+ import defusedxml.ElementTree as ET
+ from flask import request, jsonify
+ 
+ @app.route('/api/xml', methods=['POST'])
+ def parse_xml():
+     try:
+         root = ET.fromstring(request.data)
+         return jsonify({'name': root.find('name').text})
+     except ET.ParseError:
+         return jsonify({'error': 'Invalid XML'}), 400
  

Pratiques clés

  • Use denial of service
4 Signes d'Alerte
4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Improper Restriction of XML External Entity Reference. Recherchez-les lors des revues de code et des audits de sécurité.

🟠
unsafe XML parsing that could allow XML External Entity (XXE) attacks javascript-xxe
🟠
XML parsing with external entity processing enabled python-xxe
🔍

Scannez votre base de code pour Improper Restriction of XML External Entity Reference

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.