External parameter entities allowed in XML parser

Description

External parameter entities are enabled via "http://xml.org/sax/features/external-parameter-entities". This may lead to XML External Entity (XXE) vulnerabilities, allowing local file disclosure, denial of service, and Server-Side Request Forgery (SSRF).

Examples

Insecure Code

java

$PARSER.setFeature("http://xml.org/sax/features/external-parameter-entities", true);

Secure Code

java

parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Remediation

Set the feature to `false`: parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false); Additionally, consider disabling DOCTYPE declarations, general external entities, XInclude, and entity expansion if applicable.

Rule Details

Field	Value
ID	CODE-0233
Category	Injection
Severity	MEDIUM
CWE	CWE-611
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	XXE, XML
OWASP	A05:2021-Security Misconfiguration

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

External parameter entities allowed in XML parser

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

External parameter entities allowed in XML parser ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

External parameter entities allowed in XML parser

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details