SV.XXE.SPF

Possibility of an XML External Entity attack

This error occurs when XML input is processed by a weakly-configured XML parser, SAXParserFactory.

Vulnerability and risk

An XML external entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly-configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, or other system impacts.

Mitigation and prevention

The safest way to prevent an XML external entity attack is to always completely disable DTDs (external entities). Depending on the parser, the method can be different.

Vulnerable code example

Copy
   import javax.xml.parsers.SAXParserFactory;
   
   public class Test {
       public void test() {
           SAXParserFactory spf = SAXParserFactory.newInstance();
           spf.newSAXParser();
       }    
   }

In this example, Klocwork reports an SV.XXE.SPF error at line 5, indicating that XML input is processed by a weakly configured XML parser 'SAXParserFactory'.

Fixed code example

Copy
   import javax.xml.parsers.SAXParserFactory;
   
   public class Test {
       public void test() {
           SAXParserFactory spf = SAXParserFactory.newInstance();
   
           spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
           spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
           spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
  
           spf.newSAXParser();
      }    
  }

Security training

Application security training materials provided by Secure Code Warrior.