13 lines
1.0 KiB
Plaintext
13 lines
1.0 KiB
Plaintext
XML standard allows the use of entities, declared in the DOCTYPE of the document, which can be https://www.w3.org/TR/xml/#sec-internal-ent[internal] or https://www.w3.org/TR/xml/#sec-external-ent[external].
|
|
|
|
When parsing the XML file, the content of the external entities is retrieved from an external storage such as the file system or network, which may lead, if no restrictions are put in place, to arbitrary file disclosures or https://www.owasp.org/index.php/Server_Side_Request_Forgery[server-side request forgery (SSRF)] vulnerabilities.
|
|
|
|
It's recommended to limit resolution of external entities by using one of these solutions:
|
|
|
|
* If DOCTYPE is not necessary, completely disable all DOCTYPE declarations.
|
|
* If external entities are not necessary, completely disable their declarations.
|
|
* If external entities are necessary then:
|
|
** Use XML processor features, if available, to authorize only required protocols (eg: https).
|
|
** And use an entity resolver (and optionally an XML Catalog) to resolve only trusted entities.
|
|
|