XML internal entity expansion
Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks.
XML parsing depends on a user-provided value without guarding against uncontrolled entity expansion.
Commit SHA: 459cd0fa4ebaaec6cee08c99e42c2050d46521c4
Line Number: 88
Tool Name: CodeQL
File Path: src/app.controller.ts:88
Mitigation: # XML internal entity expansion
Parsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.
In XML, so-called internal entities are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.
If untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an XML bomb attack.
Recommendation
The safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of libxmljs (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.
Example
The following example uses the XML parser provided by the node-expat package to parse a string xmlSrc. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since node-expat expands internal entities by default:
At the time of writing, node-expat does not provide a way of controlling entity expansion, but the example could be rewritten to use the sax package instead, which only expands standard entities such as &:
XML internal entity expansion Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks. XML parsing depends on a user-provided value without guarding against uncontrolled entity expansion. Commit SHA: 459cd0fa4ebaaec6cee08c99e42c2050d46521c4 Line Number: 88 Tool Name: CodeQL
File Path: src/app.controller.ts:88
Mitigation: # XML internal entity expansion Parsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.
In XML, so-called internal entities are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.
If untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an XML bomb attack.
Recommendation
The safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of
libxmljs
(though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.Example
The following example uses the XML parser provided by the
node-expat
package to parse a stringxmlSrc
. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, sincenode-expat
expands internal entities by default:At the time of writing,
node-expat
does not provide a way of controlling entity expansion, but the example could be rewritten to use thesax
package instead, which only expands standard entities such as&
:References
Impact: See Description
Finding Id : 129139788
Tool Finding Id: 50