XML External Entity (XXE) Vulnerability
Description
XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. This rule detects the use of XML parsing without proper restrictions on external entities, which can lead to XXE attacks.
Examples
Insecure Code
scala
val df = DocumentBuilderFactory.newInstance
val db = df.newDocumentBuilder
db.parse(new InputSource(new StringReader("<foo><bar/></foo>")))Secure Code
scala
val df = DocumentBuilderFactory.newInstance
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "")
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "")
df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
val db = df.newDocumentBuilder
db.parse(new InputSource(new StringReader("<foo><bar/></foo>")))Remediation
Set the ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA attributes to empty strings, and set the FEATURE_SECURE_PROCESSING feature to true on the DocumentBuilderFactory instance. Additionally, consider setting the http://apache.org/xml/features/disallow-doctype-decl feature to true.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0093 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML Injection |
| OWASP | N/A |