XXE Injection is a type of attack against an application that parses XML input.

By default, many XML processors allow specification of an external entity - a URI (Uniform Resource Identifier) that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

It is recommended to disable fetching external entities whenever possible.

Possible attacks include using file: schemes or relative paths in the system identifier. This can expose local files, which may contain sensitive data such as passwords or private user data.

A system identifier is also a URI (Uniform Resource Identifier) e.g., file:///path/to/file etc.

For example, a sample XML document is given below, containing an XML element, username.

<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Bad Practice

import libxmljs from 'libxmljs'
import fs from 'fs'

const xml = fs.readFileSync('someDataFile.xml', 'utf8')
const xmlDoc = libxmljs.parseXmlString(xml, {
   noblanks: true,
   noent: true, // Noncompliant: noent set to true
   nocdata: true
})

Recommended

import libxmljs from 'libxmljs'
import fs from 'fs'

const xml = fs.readFileSync('someDataFile.xml', 'utf8')
const xmlDoc = libxmljs.parseXmlString(xml, {
   noblanks: true,
   noent: false, // Compliant: noent is unset
   nocdata: true
})

References

OWASP A05:2021 - Security Misconfiguration
Prevention Cheat Sheet
CWE-611
CWE-827

deepsourcestatus / test-repository

No ignore rules found