# Improper Restriction of XML External Entity Reference (CWE-611) The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. **Stack:** JavaScript - Prevalence: 中 3 言語をカバー - Impact: ハイ 3 件の重大度ハイのルール - Prevention: 文書化済み 3 件の修正例 **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service. ## Prevention 1 件の Shoulder 検出ルールに基づく XML External Entity (XXE) の予防策。 ### JavaScript Disable external entity processing in XML parsers or use JSON instead of XML ## Warning Signs - [HIGH] unsafe XML parsing that could allow XML External Entity (XXE) attacks ## Consequences - アプリケーションデータの読み取り - ファイルまたはディレクトリの読み取り - DoS ## Mitigations - XML パーサーで外部実体の処理を無効にする - 可能であれば JSON のようなよりシンプルなデータ形式を使用する - XML 入力を検証してサニタイズする ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **XML External Entity (XXE) Injection** [HIGH]: Detects unsafe XML parsing that could allow XML External Entity (XXE) attacks. XXE can lead to file disclosure, SSRF, denial of service, and other attacks. - Remediation: Disable external entity processing or use JSON instead of XML. ```javascript const { XMLParser } = require('fast-xml-parser'); const parser = new XMLParser({ processEntities: false }); const result = parser.parse(xmlData); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-611/xxe ### Typescript (1 rules) - **XML External Entity (XXE) Injection** [HIGH]: Detects unsafe XML parsing that could allow XML External Entity (XXE) attacks. XXE can lead to file disclosure, SSRF, denial of service, and other attacks. - Remediation: Disable external entity processing or use JSON instead of XML. ```javascript const { XMLParser } = require('fast-xml-parser'); const parser = new XMLParser({ processEntities: false }); const result = parser.parse(xmlData); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-611/xxe