XML external entity expansion
Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks.
XML parsing depends on a user-provided value without guarding against external entity expansion.
Commit SHA: 459cd0fa4ebaaec6cee08c99e42c2050d46521c4
Line Number: 88
Tool Name: CodeQL
File Path: src/app.controller.ts:88
Mitigation: # XML external entity expansion
Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.
Recommendation
The easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of libxml, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.
Example
The following example uses the libxml XML parser to parse a string xmlSrc. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the noent option set to true:
To guard against XXE attacks, the noent option should be omitted or set to false. This means that no entity expansion is undertaken at all, not even for standard internal entities such as & or >. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as underscore, lodash or he.
XML external entity expansion Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks. XML parsing depends on a user-provided value without guarding against external entity expansion. Commit SHA: 459cd0fa4ebaaec6cee08c99e42c2050d46521c4 Line Number: 88 Tool Name: CodeQL
File Path: src/app.controller.ts:88
Mitigation: # XML external entity expansion Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.
Recommendation
The easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of
libxml
, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.Example
The following example uses the
libxml
XML parser to parse a stringxmlSrc
. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with thenoent
option set totrue
:To guard against XXE attacks, the
noent
option should be omitted or set tofalse
. This means that no entity expansion is undertaken at all, not even for standard internal entities such as&
or>
. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as underscore, lodash or he.References
Impact: See Description
Finding Id : 129139789
Tool Finding Id: 49