# Improper Restriction of XML External Entity Reference (CWE-611)

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

**Stack:** Go

- Prevalence: 中 覆盖 3 种语言
- Impact: 高 3 条严重级别为高的规则
- Prevention: 已记录 3 个修复示例

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

XML External Entity (XXE) attacks exploit features of XML parsers to read local files, perform server-side request forgery, or cause denial of service.

## Prevention

基于 1 条 Shoulder 检测规则的 XML External Entity (XXE) 预防策略。

### Go

Go's encoding/xml is safe by default; reject XML with DOCTYPE declarations as defense in depth

## Consequences

- 读取应用程序数据
- 读取文件或目录
- 拒绝服务 (DoS)

## Mitigations

- 在 XML 解析器中禁用外部实体处理
- 尽可能使用 JSON 等更简单的数据格式
- 对 XML 输入进行验证和净化

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **XML External Entity (XXE) Injection** [HIGH]: User-controlled XML parsed without disabling external entities.
  - Remediation: Go's encoding/xml is safe by default. Reject XML with DOCTYPE declarations.

```go
if bytes.Contains(body, []byte("<!DOCTYPE")) {
    return errors.New("DOCTYPE not allowed")
}
var data MyStruct
xml.Unmarshal(body, &data)
```

Learn more: https://shoulder.dev/learn/go/cwe-611/xxe