2023-05-03 11:06:20 +02:00
|
|
|
== Why is this an issue?
|
|
|
|
|
|
2020-06-30 14:41:58 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
=== Noncompliant code example
|
2020-06-30 14:41:58 +02:00
|
|
|
|
|
|
|
|
http://xerces.apache.org/[Xerces] XercesDOMParser library:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,cpp]
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
#include "xercesc/parsers/XercesDOMParser.hpp"
|
|
|
|
|
|
|
|
|
|
XercesDOMParser *DOMparser = new XercesDOMParser();
|
|
|
|
|
// no entity reference node will be created so the entities will be expanded
|
|
|
|
|
DOMparser->setCreateEntityReferenceNodes(false); // Noncompliant
|
|
|
|
|
DOMparser->setDisableDefaultEntityResolution(false); // Noncompliant
|
|
|
|
|
|
|
|
|
|
DOMparser->parse(xmlFile);
|
|
|
|
|
----
|
|
|
|
|
http://xerces.apache.org/[Xerces] SAX2XMLReader library:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,cpp]
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
#include "xercesc/sax2/SAX2XMLReader.hpp"
|
|
|
|
|
SAX2XMLReader* reader = XMLReaderFactory::createXMLReader(); // Noncompliant: by default entities resolution is enabled so SAX2XMLReader is not safe
|
|
|
|
|
reader->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, false); // Noncompliant: enable resolution of entities explicitly
|
|
|
|
|
|
|
|
|
|
reader->parse(xmlFile);
|
|
|
|
|
----
|
|
|
|
|
http://xerces.apache.org/[Xerces] SAXParser library:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,cpp]
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
#include "xercesc/parsers/SAXParser.hpp"
|
|
|
|
|
|
|
|
|
|
SAXParser* SAXparser = new SAXParser(); // Noncompliant: by default entities resolution is enabled so SAXParser is not safe
|
|
|
|
|
SAXparser->setDisableDefaultEntityResolution(false); // Noncompliant: enable resolution of entities explicitly
|
|
|
|
|
|
|
|
|
|
SAXparser->parse(xmlFile);
|
|
|
|
|
----
|
|
|
|
|
http://xmlsoft.org/[LibXML2] library:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,cpp]
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
#include "libxml/parser.h"
|
|
|
|
|
|
|
|
|
|
xmlDocPtr doc = xmlReadFile(xmlFile, nullptr, XML_PARSE_DTDLOAD | XML_PARSE_NOENT); // Noncompliant
|
|
|
|
|
----
|
|
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
=== Compliant solution
|
2020-06-30 14:41:58 +02:00
|
|
|
|
|
|
|
|
http://xerces.apache.org/[Xerces] XercesDOMParser library:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,cpp]
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
#include "xercesc/parsers/XercesDOMParser.hpp"
|
|
|
|
|
|
|
|
|
|
XercesDOMParser *DOMparser = new XercesDOMParser(); // by default XercesDOMParser is safe
|
|
|
|
|
DOMparser->setCreateEntityReferenceNodes(true); // Compliant: explicitly make the parser safe to XXE vulnerability
|
|
|
|
|
DOMparser->setDisableDefaultEntityResolution(true); // Compliant
|
|
|
|
|
|
|
|
|
|
DOMparser->parse(xmlFile);
|
|
|
|
|
----
|
|
|
|
|
http://xerces.apache.org/[Xerces] SAX2XMLReader library:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,cpp]
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
#include "xercesc/sax2/SAX2XMLReader.hpp"
|
|
|
|
|
|
|
|
|
|
SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();
|
|
|
|
|
reader->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true); // Compliant
|
|
|
|
|
|
|
|
|
|
reader->parse(xmlFile);
|
|
|
|
|
----
|
|
|
|
|
http://xerces.apache.org/[Xerces] SAXParser library:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,cpp]
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
#include "xercesc/parsers/SAXParser.hpp"
|
|
|
|
|
|
|
|
|
|
SAXParser* SAXparser = new SAXParser();
|
|
|
|
|
SAXparser->setDisableDefaultEntityResolution(true); // Compliant
|
|
|
|
|
|
|
|
|
|
SAXparser->parse(xmlFile);
|
|
|
|
|
----
|
|
|
|
|
http://xmlsoft.org/[LibXML2] library:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,cpp]
|
2020-06-30 14:41:58 +02:00
|
|
|
----
|
|
|
|
|
#include "libxml/parser.h"
|
|
|
|
|
|
|
|
|
|
xmlDocPtr doc = xmlReadFile(xmlFile, nullptr, 0); // Compliant: safe by default since version 2.9
|
|
|
|
|
----
|
|
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
== Resources
|
2020-06-30 14:41:58 +02:00
|
|
|
|
2021-11-01 15:00:32 +01:00
|
|
|
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
|
2022-07-08 13:58:56 +02:00
|
|
|
* https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[OWASP Top 10 2017 Category A4] - XML External Entities (XXE)
|
2020-06-30 14:41:58 +02:00
|
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#libxerces-c[OWASP XXE Prevention Cheat Sheet for Xerces]
|
|
|
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#libxml2[OWASP XXE Prevention Cheat Sheet for LibXML2]
|
2022-04-07 08:53:59 -05:00
|
|
|
* https://cwe.mitre.org/data/definitions/611[MITRE, CWE-611] - Information Exposure Through XML External Entity Reference
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/827[MITRE, CWE-827] - Improper Control of Document Type Definition
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../message.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
