CXX.SV.XXE

Function call disabling attempt to resolve entity is missing

Application is vulnerable to XML-oriented attacks

An application must not be vulnerable to XML external entity (XXE) processing, a type of XML-oriented attack.

Vulnerability and risk

XML external entity attacks can happen when an application parses XML input. When the XML parser is weakly configured, then it is possible for the application to process a reference to an external entity. The processing of that external entity can lead to severe issues, such as the disclosure of confidential data, server side request forgery, and other less severe issues such as denial of service.

Mitigation and prevention

A common mitigation strategy is to ensure that the XML parser that reads the XML input is configured to not follow external entities (entity resolution). Review your XML parser API to find how to disable this behavior.

Vulnerable code example

Copy
void funSAXParser(const char *file_name)
{
SAXParser parser;
parser.parse(file_name);   //CXX.DISA.XXE
}

In this example, Klocwork reports a CXX.DISA.XXE defect at line 4 to flag the parsing of the XML file. Because there is no call to the setDisableDefaultEntityResolution() entity of the SAXParser API, the code fails to prevent the resolution of external entities.

Fixed code example

Copy
void funSAXParser(const char *file_name)
{
SAXParser parser;
parser.setDisableDefaultEntityResolution(true);
parser.parse(file_name);   //no DISA.XXE since entity resolution has been disabled
}

The default (vulnerable) behavior of the SAXParser object is to allow the resolution of external entities. In the fixed code example, Klocwork does not report a defect because the setDisableDefaultEntityResolution() API is called with the argument true. The parser will not attempt to resolve an external entity when the resolveEntity() method is called.

Related checkers

Security training

Application security training materials provided by Secure Code Warrior.