Resolve vulnerability: Improper restriction of XML external entity reference ('XXE')
AI GENERATED PATCH
The suggested code changes were generated by GitLab Duo Vulnerability Resolution, an AI feature. Use this feature with caution. Before you apply the code changes, carefully review and test them, to ensure that they solve the vulnerability, don't harm the functional behavior of your application or introduce new vulnerabilities.
The large language model that generated the suggested code changes was only provided with the affected lines of code, and the vulnerability in that code. It is not aware of any functionality outside of this context.
Please see our documentation for more information about this feature. We'd love to hear your feedback so we can improve on this feature as we work to bring it to general availability.
Description:
External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS).
In most XML parsers, the recommendation to protect against XXE is to disable the doctype
feature.
Unfortunately use of the XMLInputFactory
requires that the doctypes feature be enabled.
Instead
the application can set the ACCESS_EXTERNAL_DTD
to an empty string and disable
javax.xml.stream.isSupportingExternalEntities
.
Creates an XMLInputFactory
stream parser, but disables accessing external DTD or entities:
// Create an XMLInputFactory
XMLInputFactory factory = XMLInputFactory.newFactory();
// Set the ACCESS_EXTERNAL_DTD property to an empty string so it won't access
// entities using protocols
// (ref:
https://docs.oracle.com/javase/8/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD)
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
// Additionally, disable support for resolving external entities
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
// Continue to work with the factory/stream parser
For more information on XML security see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java
- Severity: critical
- Confidence: unknown
- Location: webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java:70
Identifiers:
- CWE-611
- find_sec_bugs.XXE_XMLSTREAMREADER-1
- Find Security Bugs-XXE_XMLSTREAMREADER
- A1:2017 - Injection
- A03:2021 - Injection