Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.
Comment corriger cette vulnérabilité
Stratégies de prévention pour XML External Entity (XXE) basées sur 3 règles de détection Shoulder.
Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth
package main import ( - "encoding/xml" - "io/ioutil" - "net/http" - ) - - type Data struct { - XMLName xml.Name `xml:"data"` - Value string `xml:"value"` - } - - func handler(w http.ResponseWriter, r *http.Request) { - body, _ := ioutil.ReadAll(r.Body) - // Potentially vulnerable: parsing untrusted XML without DOCTYPE check - var data Data - xml.Unmarshal(body, &data) + "bytes" + "encoding/xml" + "errors" + "io/ioutil" + "net/http" + ) + + type Data struct { + XMLName xml.Name `xml:"data"` + Value string `xml:"value"` + } + + func safeXMLUnmarshal(body []byte, v interface{}) error { + // Defense in depth: reject XML with DOCTYPE declarations + if bytes.Contains(body, []byte("<!DOCTYPE")) || + bytes.Contains(body, []byte("<!ENTITY")) { + return errors.New("DOCTYPE/ENTITY declarations not allowed") + } + return xml.Unmarshal(body, v) + } + + func handler(w http.ResponseWriter, r *http.Request) { + body, _ := ioutil.ReadAll(r.Body) + var data Data + if err := safeXMLUnmarshal(body, &data); err != nil { + http.Error(w, "Invalid XML", 400) + return + } w.Write([]byte(data.Value)) }
Disable external entity processing in XML parsers or use JSON instead of XML
const express = require('express'); - const libxmljs = require('libxmljs'); - const app = express(); - - app.post('/parse', (req, res) => { - const xmlContent = req.body.xml; - const doc = libxmljs.parseXml(xmlContent); - res.json({ root: doc.root().name() }); + const { XMLParser } = require('fast-xml-parser'); + const app = express(); + + const parser = new XMLParser({ + processEntities: false, + allowBooleanAttributes: true, + }); + + app.post('/parse', (req, res) => { + try { + const result = parser.parse(req.body.xml); + res.json(result); + } catch (e) { + res.status(400).json({ error: 'Invalid XML' }); + } });
Use defusedxml instead of standard XML parsers for untrusted input
- from lxml import etree - from flask import request - - @app.route('/api/xml', methods=['POST']) - def parse_xml(): - root = etree.fromstring(request.data) - return {'name': root.find('name').text} + import defusedxml.ElementTree as ET + from flask import request, jsonify + + @app.route('/api/xml', methods=['POST']) + def parse_xml(): + try: + root = ET.fromstring(request.data) + return jsonify({'name': root.find('name').text}) + except ET.ParseError: + return jsonify({'error': 'Invalid XML'}), 400
Pratiques clés
- Use denial of service
Trouvez les vulnérabilités dans votre code
Utilisez Shoulder pour scanner votre code à la recherche de patterns Improper Restriction of XML External Entity Reference. 3 règles.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=611 # Or scan entire project npx @shoulderdev/cli trust .
Règles de Détection (3)
Ce qu'il faut surveiller lors des revues de code
Ces patterns indiquent des vulnérabilités potentielles Improper Restriction of XML External Entity Reference. Recherchez-les lors des revues de code et des audits de sécurité.
Scannez votre base de code pour Improper Restriction of XML External Entity Reference
Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.