|
| 1 | +<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd"> |
| 2 | +<qhelp> |
| 3 | + |
| 4 | +<overview> |
| 5 | +<p> |
| 6 | +Parsing untrusted XML files with a weakly configured XML parser may lead to an |
| 7 | +XML External Entity (XXE) attack. This type of attack uses external entity references |
| 8 | +to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side |
| 9 | +request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible |
| 10 | +and out-of-band data retrieval techniques may allow attackers to steal sensitive data. |
| 11 | +</p> |
| 12 | +</overview> |
| 13 | + |
| 14 | +<recommendation> |
| 15 | +<p> |
| 16 | +The easiest way to prevent XXE attacks is to disable external entity handling when |
| 17 | +parsing untrusted data. How this is done depends on the library being used. Note that some |
| 18 | +libraries, such as recent versions of <code>libxml</code>, disable entity expansion by default, |
| 19 | +so unless you have explicitly enabled entity expansion, no further action needs to be taken. |
| 20 | +</p> |
| 21 | +</recommendation> |
| 22 | + |
| 23 | +<example> |
| 24 | +<p> |
| 25 | +The following example uses the <code>libxml</code> XML parser to parse a string <code>xmlSrc</code>. |
| 26 | +If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since |
| 27 | +the parser is invoked with the <code>noent</code> option set to <code>true</code>: |
| 28 | +</p> |
| 29 | +<sample src="examples/Xxe.js"/> |
| 30 | + |
| 31 | +<p> |
| 32 | +To guard against XXE attacks, the <code>noent</code> option should be omitted or set to |
| 33 | +<code>false</code>. This means that no entity expansion is undertaken at all, not even for standard |
| 34 | +internal entities such as <code>&amp;</code> or <code>&gt;</code>. If desired, these |
| 35 | +entities can be expanded in a separate step using utility functions provided by libraries such |
| 36 | +as <a href="http://underscorejs.org/#unescape">underscore</a>, |
| 37 | +<a href="https://lodash.com/docs/4.17.15#unescape">lodash</a> or |
| 38 | +<a href="https://github.com/mathiasbynens/he">he</a>. |
| 39 | +</p> |
| 40 | +<sample src="examples/XxeGood.js"/> |
| 41 | +</example> |
| 42 | + |
| 43 | +<references> |
| 44 | +<li> |
| 45 | +OWASP: |
| 46 | +<a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>. |
| 47 | +</li> |
| 48 | +<li> |
| 49 | +Timothy Morgen: |
| 50 | +<a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a>. |
| 51 | +</li> |
| 52 | +<li> |
| 53 | +Timur Yunusov, Alexey Osipov: |
| 54 | +<a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>. |
| 55 | +</li> |
| 56 | +</references> |
| 57 | +</qhelp> |
0 commit comments