Improper Restriction of XML External Entity Reference ('XXE')
Description
The XMLReaderFactory is used without proper restriction of XML external entity references, allowing potential XXE attacks. This can lead to file reading, external host communication, data exfiltration, or Denial of Service (DoS).
Examples
Insecure Code
java
$R = XMLReaderFactory.createXMLReader();
$R.parse(...);Secure Code
java
SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
SAXParser parser = saxParserFactory.newSAXParser();
parser.parse(new FileInputStream(new File("bad.xml")), new DefaultHandler());Remediation
Use SAXParserFactory instead of XMLReaderFactory and configure it to disallow doctypes by setting the feature 'http://apache.org/xml/features/disallow-doctype-decl' to true.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0735 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML External Entity |
| OWASP | A1:2017-Injection, A03:2021-Injection |