# Improper Restriction of XML External Entity Reference (CWE-611) The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. **Stack:** Python - Prevalence: Medium 3 languages covered - Impact: High 3 high-severity rules - Prevention: Documented 3 fix examples **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service. ## Prevention Prevention strategies for XML External Entity (XXE) based on 1 Shoulder detection rules. ### Key Practices - Use denial of service ### Python Use defusedxml instead of standard XML parsers for untrusted input ## Warning Signs - [HIGH] XML parsing with external entity processing enabled ## Consequences - Read Application Data - Read Files or Directories - DoS ## Mitigations - Disable external entity processing in XML parsers - Use less complex data formats like JSON when possible - Validate and sanitize XML input ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (1 rules) - **XML External Entity (XXE) Injection** [HIGH]: Detects XML parsing with external entity processing enabled. XXE attacks allow attackers to read local files, perform SSRF, or cause denial of service. Always disable external entity processing when parsing untrusted XML. - Remediation: Use defusedxml instead of standard XML parsers for untrusted input. ```python import defusedxml.ElementTree as ET from flask import request, jsonify @app.route('/api/xml', methods=['POST']) def parse_xml(): try: root = ET.fromstring(request.data) return jsonify({'name': root.find('name').text}) except ET.ParseError: return jsonify({'error': 'Invalid XML'}), 400 ``` Learn more: https://shoulder.dev/learn/python/cwe-611/xxe