rspec/rules/S6373/description.adoc

XML standard allows the inclusion of xml files with the https://www.w3.org/TR/xinclude-11/[xinclude] element.

XML processors will replace an xinclude element with the content of the file located at the URI defined in the href attribute, potentially from an external storage such as file system or network, which may lead, if no restrictions are put in place, to arbitrary file disclosures or https://owasp.org/www-community/attacks/Server_Side_Request_Forgery[server-side request forgery (SSRF)] vulnerabilities.
Create rule S6373[Java]: XML parsers should not allow inclusion of arbitrary files (#547) 2022-01-18 08:36:38 +01:00			`XML standard allows the inclusion of xml files with the https://www.w3.org/TR/xinclude-11/[xinclude] element.`

Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`XML processors will replace an xinclude element with the content of the file located at the URI defined in the href attribute, potentially from an external storage such as file system or network, which may lead, if no restrictions are put in place, to arbitrary file disclosures or https://owasp.org/www-community/attacks/Server_Side_Request_Forgery[server-side request forgery (SSRF)] vulnerabilities.`