# Improper Restriction of XML External Entity Reference (CWE-611)

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

- Prevalence: Média 3 linguagens cobertas
- Impact: Alto 3 regras de severidade alta
- Prevention: Documentada 3 exemplos de correção

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.

## Prevention

Estratégias de prevenção para XML External Entity (XXE) baseadas em 3 regras de detecção do Shoulder.

### Key Practices

- Use denial of service

### Go

Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth

### JavaScript

Disable external entity processing in XML parsers or use JSON instead of XML

### Python

Use defusedxml instead of standard XML parsers for untrusted input

## Warning Signs

- [HIGH] unsafe XML parsing that could allow XML External Entity (XXE) attacks
- [HIGH] XML parsing with external entity processing enabled

## Consequences

- Ler dados da aplicação
- Ler arquivos ou diretórios
- DoS

## Mitigations

- Desative o processamento de entidades externas em parsers XML
- Use formatos de dados menos complexos como JSON quando possível
- Valide e sanitize entradas XML

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **XML External Entity (XXE) Injection** [HIGH]: User-controlled XML parsed without disabling external entities.
  - Remediation: Go's encoding/xml is safe by default. Reject XML with DOCTYPE declarations.

```go
if bytes.Contains(body, []byte("<!DOCTYPE")) {
    return errors.New("DOCTYPE not allowed")
}
var data MyStruct
xml.Unmarshal(body, &data)
```

Learn more: https://shoulder.dev/learn/go/cwe-611/xxe

### Javascript (1 rules)

- **XML External Entity (XXE) Injection** [HIGH]: Detects unsafe XML parsing that could allow XML External Entity (XXE) attacks.
XXE can lead to file disclosure, SSRF, denial of service, and other attacks.
  - Remediation: Disable external entity processing or use JSON instead of XML.

```javascript
const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({ processEntities: false });
const result = parser.parse(xmlData);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-611/xxe

### Typescript (1 rules)

- **XML External Entity (XXE) Injection** [HIGH]: Detects unsafe XML parsing that could allow XML External Entity (XXE) attacks.
XXE can lead to file disclosure, SSRF, denial of service, and other attacks.
  - Remediation: Disable external entity processing or use JSON instead of XML.

```javascript
const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({ processEntities: false });
const result = parser.parse(xmlData);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-611/xxe

### Python (1 rules)

- **XML External Entity (XXE) Injection** [HIGH]: Detects XML parsing with external entity processing enabled. XXE attacks
allow attackers to read local files, perform SSRF, or cause denial of service.
Always disable external entity processing when parsing untrusted XML.
  - Remediation: Use defusedxml instead of standard XML parsers for untrusted input.

```python
import defusedxml.ElementTree as ET
from flask import request, jsonify

@app.route('/api/xml', methods=['POST'])
def parse_xml():
    try:
        root = ET.fromstring(request.data)
        return jsonify({'name': root.find('name').text})
    except ET.ParseError:
        return jsonify({'error': 'Invalid XML'}), 400
```

Learn more: https://shoulder.dev/learn/python/cwe-611/xxe