Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.
Como corrigir esta vulnerabilidade
Estratégias de prevenção para XML External Entity (XXE) baseadas em 3 regras de detecção do Shoulder.
Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth
package main import ( - "encoding/xml" - "io/ioutil" - "net/http" - ) - - type Data struct { - XMLName xml.Name `xml:"data"` - Value string `xml:"value"` - } - - func handler(w http.ResponseWriter, r *http.Request) { - body, _ := ioutil.ReadAll(r.Body) - // Potentially vulnerable: parsing untrusted XML without DOCTYPE check - var data Data - xml.Unmarshal(body, &data) + "bytes" + "encoding/xml" + "errors" + "io/ioutil" + "net/http" + ) + + type Data struct { + XMLName xml.Name `xml:"data"` + Value string `xml:"value"` + } + + func safeXMLUnmarshal(body []byte, v interface{}) error { + // Defense in depth: reject XML with DOCTYPE declarations + if bytes.Contains(body, []byte("<!DOCTYPE")) || + bytes.Contains(body, []byte("<!ENTITY")) { + return errors.New("DOCTYPE/ENTITY declarations not allowed") + } + return xml.Unmarshal(body, v) + } + + func handler(w http.ResponseWriter, r *http.Request) { + body, _ := ioutil.ReadAll(r.Body) + var data Data + if err := safeXMLUnmarshal(body, &data); err != nil { + http.Error(w, "Invalid XML", 400) + return + } w.Write([]byte(data.Value)) }
Disable external entity processing in XML parsers or use JSON instead of XML
const express = require('express'); - const libxmljs = require('libxmljs'); - const app = express(); - - app.post('/parse', (req, res) => { - const xmlContent = req.body.xml; - const doc = libxmljs.parseXml(xmlContent); - res.json({ root: doc.root().name() }); + const { XMLParser } = require('fast-xml-parser'); + const app = express(); + + const parser = new XMLParser({ + processEntities: false, + allowBooleanAttributes: true, + }); + + app.post('/parse', (req, res) => { + try { + const result = parser.parse(req.body.xml); + res.json(result); + } catch (e) { + res.status(400).json({ error: 'Invalid XML' }); + } });
Use defusedxml instead of standard XML parsers for untrusted input
- from lxml import etree - from flask import request - - @app.route('/api/xml', methods=['POST']) - def parse_xml(): - root = etree.fromstring(request.data) - return {'name': root.find('name').text} + import defusedxml.ElementTree as ET + from flask import request, jsonify + + @app.route('/api/xml', methods=['POST']) + def parse_xml(): + try: + root = ET.fromstring(request.data) + return jsonify({'name': root.find('name').text}) + except ET.ParseError: + return jsonify({'error': 'Invalid XML'}), 400
Práticas-chave
- Use denial of service
Encontre vulnerabilidades no seu código
Use o Shoulder para escanear seu código em busca de padrões Improper Restriction of XML External Entity Reference. 3 regras.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=611 # Or scan entire project npx @shoulderdev/cli trust .
Regras de Detecção (3)
O que observar nas revisões de código
Estes padrões indicam vulnerabilidades potenciais de Improper Restriction of XML External Entity Reference. Procure-os durante revisões de código e auditorias de segurança.
Escaneie seu código para Improper Restriction of XML External Entity Reference
O Shoulder CLI encontra padrões vulneráveis em todo o seu código.