Improper Restriction of XML External Entity Reference ('XXE')

scala.xxe.scala_xxe_rule_saxparserxxe

Severity

high

Resource

Xxe

Language

Scala

Description

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source.

Rationale

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source.

The following code illustrates a vulnerable pattern detected by this rule:

object SaxParserXXE {
  @throws[ParserConfigurationException]
  @throws[SAXException]
  @throws[IOException]
  private def receiveXMLStream(inStream: InputStream, defHandler: DefaultHandler): Unit = { // ...
    val spf = SAXParserFactory.newInstance
    val saxParser = spf.newSAXParser
    // VULNERABLE: Improper Restriction of XML External Entity Reference ('XXE')
    saxParser.parse(inStream, defHandler)
  }

  @throws[ParserConfigurationException]
  @throws[SAXException]
  @throws[IOException]
  def main(args: Array[String]): Unit = {
    val xmlString = "<?xml version=\"1.0\"?>" + "<!DOCTYPE test [  <!ENTITY foo SYSTEM \"C:/Code/public.txt\"> ]><test>&foo;</test>" // Tainted input
    val is = new ByteArrayInputStream(xmlString.getBytes)
    receiveXMLStream(is, new DefaultHandler)
  }
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-611
OWASP Top 10 2021 - A05 : Security Misconfiguration.