Avoid using unsafe flags in XML parsers

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: php-security/xml-unsafe-parser-flags

Language: PHP

Severity: Error

Category: Security

CWE: 611

Description

This rule is designed to prevent potential XML External Entity (XXE) attacks, which could allow an attacker to read local files on the server, interact with any external systems that the server can access, or perform a Denial-of-Service (DoS) attack.

The LIBXML_NOENT and LIBXML_DTDLOAD flags in PHP’s DOMDocument or SimpleXML classes are particularly risky. The LIBXML_NOENT flag allows for the substitution of XML entities by their values, while the LIBXML_DTDLOAD flag enables loading of the XML Document Type Definition (DTD), both of which are common vectors for XXE attacks.

To avoid violating this rule, refrain from using these flags when loading XML data. Instead, use safer methods like simplexml_load_string() without any flags, as shown in the compliant code sample. This ensures that your PHP applications are not susceptible to XXE attacks, thus enhancing their security.

Non-Compliant Code Examples

<?php
class UserController extends Controller {
  public function xml($input) {
    $doc = new DOMDocument();
    $doc->loadXML($input, LIBXML_NOENT | LIBXML_DTDLOAD);
    return view('user.index', ['data' => $doc]);
  }
}

Compliant Code Examples

<?php
class Foo extends Controller {
  public function xml($input) {
    $data = simplexml_load_string($xml_input);
    return view('user.index', ['data' => $data]);
  }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis