By DeepSource

Audit required: Entity substitution can be vulnerable to XXE attacks PHP-A1010


XML specification allows the use of entities that can be internal or external(file system or network, etc.) which could lead to vulnerabilities such as SSRF or confidential file disclosures. Therefore, enabling external entity substitution via LIBXML_NOENT option can make an application vulnerable to XML External Entity (XXE) attacks.

In past it has led to the following vulnerabilities:

It is recommended to not enable entity substitution via LIBXML_NOENT option. Also, libxml_set_external_entity_loader function can be used to suppress the expansion of arbitrary external entities to avoid XXE attacks, even when LIBXML_NOENT has been set.


Bad practice

$dom = new DOMDocument();

// sensitive: `LIBXML_NOENT` constant will enable external entity substitution
$dom->load('config.xml', LIBXML_NOENT);


$dom = new DOMDocument();