Prevent XXE attack from XML parser

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST Rules > Prevent XXE attack from XML parser

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: kotlin-security/avoid-xml-xxe

Language: Kotlin

Severity: Error

Category: Security

CWE: 611

Description

This rule aims to prevent XXE (XML External Entity) attacks by ensuring that the XML parser is configured safely in Kotlin. XXE attacks occur when an XML parser processes an XML document that contains a reference to an external entity. This can lead to unwanted disclosure of confidential data, denial of service, server side request forgery, port scanning, or other system impacts.

XXE attacks can have serious security implications, potentially allowing an attacker to read sensitive data from the server, interact with any back-end or external systems that the application can access, or carry out denial-of-service attacks.

To avoid this, disable DTDs (Document Type Definitions) completely, if your application does not require them by setting the http://apache.org/xml/features/disallow-doctype-decl feature to true. If DTDs must be enabled, enable secure processing (XMLConstants.FEATURE_SECURE_PROCESSING), limit access to external DTDs (XMLConstants.ACCESS_EXTERNAL_DTD), and disable external parameter entities (http://xml.org/sax/features/external-parameter-entities). By following these practices, you can ensure that your Kotlin code is not vulnerable to XXE attacks.

Non-Compliant Code Examples

fun parseXmlUnsafe(input: File) {
    // WARNING: Vulnerable to XXE attacks
    val factory = DocumentBuilderFactory.newInstance()
    val builder = factory.newDocumentBuilder()
    val doc = builder.parse(input)  // Unsafe parsing
}

Compliant Code Examples

fun parseXmlSafe(input: File) {
    val factory = DocumentBuilderFactory.newInstance().apply {
        // Disable DTDs completely - recommended approach
        setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
        
        // Alternative security configurations if DTDs must be enabled:
        setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
        setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "")
        setFeature("http://xml.org/sax/features/external-parameter-entities", false)
    }
    val builder = factory.newDocumentBuilder()
    val doc = builder.parse(input)  // Safe parsing
}

fun parseXmlSafe2(input: File) {
    val factory = DocumentBuilderFactory.newInstance()
    
    // Disable DTDs completely - recommended approach
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
    
    // Additional security configurations if needed:
    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "")
    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
    
    val builder = factory.newDocumentBuilder()
    val doc = builder.parse(input)  // Safe parsing
}