# Improper Restriction of XML External Entity Reference (CWE-611) The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. - Prevalence: Moyenne 3 langages couverts - Impact: Élevé 3 règles de sévérité élevée - Prevention: Documentée 3 exemples de correctifs **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service. ## Prevention Stratégies de prévention pour XML External Entity (XXE) basées sur 3 règles de détection Shoulder. ### Key Practices - Use denial of service ### Go Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth ### JavaScript Disable external entity processing in XML parsers or use JSON instead of XML ### Python Use defusedxml instead of standard XML parsers for untrusted input ## Warning Signs - [HIGH] unsafe XML parsing that could allow XML External Entity (XXE) attacks - [HIGH] XML parsing with external entity processing enabled ## Consequences - Lecture des données de l'application - Lire des fichiers ou des répertoires - DoS ## Mitigations - Désactivez le traitement des entités externes dans les analyseurs XML - Utilisez des formats de données moins complexes comme JSON lorsque c'est possible - Validez et assainissez les entrées XML ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Go (1 rules) - **XML External Entity (XXE) Injection** [HIGH]: User-controlled XML parsed without disabling external entities. - Remediation: Go's encoding/xml is safe by default. Reject XML with DOCTYPE declarations. ```go if bytes.Contains(body, []byte("