SV.XXE.SPF
Possibility of an XML External Entity attack
This error occurs when XML input is processed by a weakly-configured XML parser, SAXParserFactory.
Vulnerability and risk
An XML external entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly-configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, or other system impacts.
Mitigation and prevention
The safest way to prevent an XML external entity attack is to always completely disable DTDs (external entities). Depending on the parser, the method can be different.
Vulnerable code example
import javax.xml.parsers.SAXParserFactory;
public class Test {
public void test() {
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.newSAXParser();
}
}
In this example, Klocwork reports an SV.XXE.SPF error at line 5, indicating that XML input is processed by a weakly configured XML parser 'SAXParserFactory'.
Fixed code example
import javax.xml.parsers.SAXParserFactory;
public class Test {
public void test() {
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
spf.newSAXParser();
}
}
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.