Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.
이 취약점을 수정하는 방법
3개의 Shoulder 탐지 규칙을 기반으로 한 XML External Entity (XXE) 예방 전략.
Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth
package main import ( - "encoding/xml" - "io/ioutil" - "net/http" - ) - - type Data struct { - XMLName xml.Name `xml:"data"` - Value string `xml:"value"` - } - - func handler(w http.ResponseWriter, r *http.Request) { - body, _ := ioutil.ReadAll(r.Body) - // Potentially vulnerable: parsing untrusted XML without DOCTYPE check - var data Data - xml.Unmarshal(body, &data) + "bytes" + "encoding/xml" + "errors" + "io/ioutil" + "net/http" + ) + + type Data struct { + XMLName xml.Name `xml:"data"` + Value string `xml:"value"` + } + + func safeXMLUnmarshal(body []byte, v interface{}) error { + // Defense in depth: reject XML with DOCTYPE declarations + if bytes.Contains(body, []byte("<!DOCTYPE")) || + bytes.Contains(body, []byte("<!ENTITY")) { + return errors.New("DOCTYPE/ENTITY declarations not allowed") + } + return xml.Unmarshal(body, v) + } + + func handler(w http.ResponseWriter, r *http.Request) { + body, _ := ioutil.ReadAll(r.Body) + var data Data + if err := safeXMLUnmarshal(body, &data); err != nil { + http.Error(w, "Invalid XML", 400) + return + } w.Write([]byte(data.Value)) }
Disable external entity processing in XML parsers or use JSON instead of XML
const express = require('express'); - const libxmljs = require('libxmljs'); - const app = express(); - - app.post('/parse', (req, res) => { - const xmlContent = req.body.xml; - const doc = libxmljs.parseXml(xmlContent); - res.json({ root: doc.root().name() }); + const { XMLParser } = require('fast-xml-parser'); + const app = express(); + + const parser = new XMLParser({ + processEntities: false, + allowBooleanAttributes: true, + }); + + app.post('/parse', (req, res) => { + try { + const result = parser.parse(req.body.xml); + res.json(result); + } catch (e) { + res.status(400).json({ error: 'Invalid XML' }); + } });
Use defusedxml instead of standard XML parsers for untrusted input
- from lxml import etree - from flask import request - - @app.route('/api/xml', methods=['POST']) - def parse_xml(): - root = etree.fromstring(request.data) - return {'name': root.find('name').text} + import defusedxml.ElementTree as ET + from flask import request, jsonify + + @app.route('/api/xml', methods=['POST']) + def parse_xml(): + try: + root = ET.fromstring(request.data) + return jsonify({'name': root.find('name').text}) + except ET.ParseError: + return jsonify({'error': 'Invalid XML'}), 400
핵심 실천 사항
- Use denial of service
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Improper Restriction of XML External Entity Reference 패턴을 스캔하세요. 3 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=611 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (3)
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Improper Restriction of XML External Entity Reference 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
코드베이스를 스캔하세요: Improper Restriction of XML External Entity Reference
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.