Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.
Jak naprawić tę podatność
Strategie zapobiegania dla XML External Entity (XXE) oparte na 3 regułach detekcji Shoulder.
Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth
package main import ( - "encoding/xml" - "io/ioutil" - "net/http" - ) - - type Data struct { - XMLName xml.Name `xml:"data"` - Value string `xml:"value"` - } - - func handler(w http.ResponseWriter, r *http.Request) { - body, _ := ioutil.ReadAll(r.Body) - // Potentially vulnerable: parsing untrusted XML without DOCTYPE check - var data Data - xml.Unmarshal(body, &data) + "bytes" + "encoding/xml" + "errors" + "io/ioutil" + "net/http" + ) + + type Data struct { + XMLName xml.Name `xml:"data"` + Value string `xml:"value"` + } + + func safeXMLUnmarshal(body []byte, v interface{}) error { + // Defense in depth: reject XML with DOCTYPE declarations + if bytes.Contains(body, []byte("<!DOCTYPE")) || + bytes.Contains(body, []byte("<!ENTITY")) { + return errors.New("DOCTYPE/ENTITY declarations not allowed") + } + return xml.Unmarshal(body, v) + } + + func handler(w http.ResponseWriter, r *http.Request) { + body, _ := ioutil.ReadAll(r.Body) + var data Data + if err := safeXMLUnmarshal(body, &data); err != nil { + http.Error(w, "Invalid XML", 400) + return + } w.Write([]byte(data.Value)) }
Disable external entity processing in XML parsers or use JSON instead of XML
const express = require('express'); - const libxmljs = require('libxmljs'); - const app = express(); - - app.post('/parse', (req, res) => { - const xmlContent = req.body.xml; - const doc = libxmljs.parseXml(xmlContent); - res.json({ root: doc.root().name() }); + const { XMLParser } = require('fast-xml-parser'); + const app = express(); + + const parser = new XMLParser({ + processEntities: false, + allowBooleanAttributes: true, + }); + + app.post('/parse', (req, res) => { + try { + const result = parser.parse(req.body.xml); + res.json(result); + } catch (e) { + res.status(400).json({ error: 'Invalid XML' }); + } });
Use defusedxml instead of standard XML parsers for untrusted input
- from lxml import etree - from flask import request - - @app.route('/api/xml', methods=['POST']) - def parse_xml(): - root = etree.fromstring(request.data) - return {'name': root.find('name').text} + import defusedxml.ElementTree as ET + from flask import request, jsonify + + @app.route('/api/xml', methods=['POST']) + def parse_xml(): + try: + root = ET.fromstring(request.data) + return jsonify({'name': root.find('name').text}) + except ET.ParseError: + return jsonify({'error': 'Invalid XML'}), 400
Kluczowe praktyki
- Use denial of service
Znajdz podatnosci w swoim kodzie
Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Improper Restriction of XML External Entity Reference. 3 reguly.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=611 # Or scan entire project npx @shoulderdev/cli trust .
Reguly Wykrywania (3)
Na co zwracac uwage podczas przegladu kodu
Te wzorce wskazuja na potencjalne podatnosci Improper Restriction of XML External Entity Reference. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.
Przeskanuj swój kod w poszukiwaniu Improper Restriction of XML External Entity Reference
Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.