Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.
如何修复此漏洞
基于 3 条 Shoulder 检测规则的 XML External Entity (XXE) 预防策略。
Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth
package main import ( - "encoding/xml" - "io/ioutil" - "net/http" - ) - - type Data struct { - XMLName xml.Name `xml:"data"` - Value string `xml:"value"` - } - - func handler(w http.ResponseWriter, r *http.Request) { - body, _ := ioutil.ReadAll(r.Body) - // Potentially vulnerable: parsing untrusted XML without DOCTYPE check - var data Data - xml.Unmarshal(body, &data) + "bytes" + "encoding/xml" + "errors" + "io/ioutil" + "net/http" + ) + + type Data struct { + XMLName xml.Name `xml:"data"` + Value string `xml:"value"` + } + + func safeXMLUnmarshal(body []byte, v interface{}) error { + // Defense in depth: reject XML with DOCTYPE declarations + if bytes.Contains(body, []byte("<!DOCTYPE")) || + bytes.Contains(body, []byte("<!ENTITY")) { + return errors.New("DOCTYPE/ENTITY declarations not allowed") + } + return xml.Unmarshal(body, v) + } + + func handler(w http.ResponseWriter, r *http.Request) { + body, _ := ioutil.ReadAll(r.Body) + var data Data + if err := safeXMLUnmarshal(body, &data); err != nil { + http.Error(w, "Invalid XML", 400) + return + } w.Write([]byte(data.Value)) }
Disable external entity processing in XML parsers or use JSON instead of XML
const express = require('express'); - const libxmljs = require('libxmljs'); - const app = express(); - - app.post('/parse', (req, res) => { - const xmlContent = req.body.xml; - const doc = libxmljs.parseXml(xmlContent); - res.json({ root: doc.root().name() }); + const { XMLParser } = require('fast-xml-parser'); + const app = express(); + + const parser = new XMLParser({ + processEntities: false, + allowBooleanAttributes: true, + }); + + app.post('/parse', (req, res) => { + try { + const result = parser.parse(req.body.xml); + res.json(result); + } catch (e) { + res.status(400).json({ error: 'Invalid XML' }); + } });
Use defusedxml instead of standard XML parsers for untrusted input
- from lxml import etree - from flask import request - - @app.route('/api/xml', methods=['POST']) - def parse_xml(): - root = etree.fromstring(request.data) - return {'name': root.find('name').text} + import defusedxml.ElementTree as ET + from flask import request, jsonify + + @app.route('/api/xml', methods=['POST']) + def parse_xml(): + try: + root = ET.fromstring(request.data) + return jsonify({'name': root.find('name').text}) + except ET.ParseError: + return jsonify({'error': 'Invalid XML'}), 400
关键实践
- Use denial of service
查找代码中的漏洞
使用Shoulder扫描代码中的Improper Restriction of XML External Entity Reference模式。 3 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=611 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (3)
代码审查中需要关注的内容
这些模式表明潜在的Improper Restriction of XML External Entity Reference漏洞。在代码审查和安全审计中注意查找。
扫描你的代码库: Improper Restriction of XML External Entity Reference
Shoulder CLI 在整个代码库中找到易受攻击的模式。