Parser should not resolve external entiries

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

ID: swift-security/xxe-parser

Language: Unknown

Severity: Warning

Category: Security

CWE: 611

Description

This rule ensures that XML parsers do not resolve external entities during parsing. Resolving external entities can expose applications to XML External Entity (XXE) attacks, where malicious XML input can access sensitive files, cause denial of service, or execute remote requests. Preventing the resolution of external entities helps protect the application from these security vulnerabilities.

It is important to disable the shouldResolveExternalEntities property on XML parser instances or leave it unset, as it defaults to false in most implementations. This reduces the attack surface by preventing the parser from fetching or processing external resources referenced in the XML content. Developers should explicitly set parser.shouldResolveExternalEntities = false or avoid enabling it unless absolutely necessary.

To comply with this rule, ensure your XML parsing code does not enable external entity resolution. For example, write parser.shouldResolveExternalEntities = false or omit this property entirely since it is disabled by default. Always validate and sanitize XML input and prefer safer parsing configurations to avoid introducing security risks related to external entities.

Non-Compliant Code Examples

class XXEViewController: ViewController {


    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        parser.shouldResolveExternalEntities = true
        parser.parse()
    }
    
}

class XXEViewController: ViewController {
    func test() {
        var success: Bool
        var rawXmlConvToData: NSData = rawXml.data(using: NSUTF8StringEncoding)
        var myParser: XMLParser = NSXMLParser(data: rawXmlConvToData)
        myParser.shouldResolveExternalEntities = true
        myParser.delegate = self
        myParser.parse()
    }
}

Compliant Code Examples

class XXEViewController: ViewController {
    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        // ok: good xxe (external entities resolution disabled by default)
        parser.parse()
    }
}

class XXEViewController: ViewController {

    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        parser.shouldResolveExternalEntities = false
        parser.parse()
    }
    
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

シームレスな統合。 Datadog Code Security をお試しください

Datadog Code Security