Avoid using unsafe flags in XML parsers

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: php-security/xml-unsafe-parser-flags

Language: PHP

Severity: Error

Category: Security

CWE: 611

Description

This rule is designed to prevent potential XML External Entity (XXE) attacks, which could allow an attacker to read local files on the server, interact with any external systems that the server can access, or perform a Denial-of-Service (DoS) attack.

The LIBXML_NOENT and LIBXML_DTDLOAD flags in PHP’s DOMDocument or SimpleXML classes are particularly risky. The LIBXML_NOENT flag allows for the substitution of XML entities by their values, while the LIBXML_DTDLOAD flag enables loading of the XML Document Type Definition (DTD), both of which are common vectors for XXE attacks.

To avoid violating this rule, refrain from using these flags when loading XML data. Instead, use safer methods like simplexml_load_string() without any flags, as shown in the compliant code sample. This ensures that your PHP applications are not susceptible to XXE attacks, thus enhancing their security.

Non-Compliant Code Examples

<?php
class UserController extends Controller {
  public function xml($input) {
    $doc = new DOMDocument();
    $doc->loadXML($input, LIBXML_NOENT | LIBXML_DTDLOAD);
    return view('user.index', ['data' => $doc]);
  }
}

Compliant Code Examples

<?php
class Foo extends Controller {
  public function xml($input) {
    $data = simplexml_load_string($xml_input);
    return view('user.index', ['data' => $data]);
  }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis