SV.XXE.XRF

Possibility of an XML External Entity attack

This error occurs when XML input is processed by a weakly-configured XML parser, XMLReaderFactory.

Vulnerability and risk

An XML external entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly-configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, or other system impacts.

Mitigation and prevention

The safest way to prevent an XML external entity attack is to always completely disable DTDs (external entities). Depending on the parser, the method can be different.

Vulnerable code example

Copy
   import org.xml.sax.XMLReader;
   import org.xml.sax.helpers.XMLReaderFactory;
   
   public class Test {
       public void test() {
           XMLReader reader = XMLReaderFactory.createXMLReader();
           reader.parse("");
       }    
   }

In this example, Klocwork reports an SV.XXE.XRF error at line 6, indicating that XML input is processed by a weakly configured XML parser 'XMLReaderFactory'.

Fixed code example

Copy
   import org.xml.sax.XMLReader;
   import org.xml.sax.helpers.XMLReaderFactory;
   
   public class Test {
       public void test(Source source) {
           XMLReader reader = XMLReaderFactory.createXMLReader();
   
           reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
           reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
           reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
           reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
  
           reader.parse("");
      }    
  }

Security training

Application security training materials provided by Secure Code Warrior.