Parser should not resolve external entiries

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: swift-security/xxe-parser

Language: Unknown

Severity: Warning

Category: Security

CWE: 611

Description

This rule ensures that XML parsers do not resolve external entities during parsing. Resolving external entities can expose applications to XML External Entity (XXE) attacks, where malicious XML input can access sensitive files, cause denial of service, or execute remote requests. Preventing the resolution of external entities helps protect the application from these security vulnerabilities.

It is important to disable the shouldResolveExternalEntities property on XML parser instances or leave it unset, as it defaults to false in most implementations. This reduces the attack surface by preventing the parser from fetching or processing external resources referenced in the XML content. Developers should explicitly set parser.shouldResolveExternalEntities = false or avoid enabling it unless absolutely necessary.

To comply with this rule, ensure your XML parsing code does not enable external entity resolution. For example, write parser.shouldResolveExternalEntities = false or omit this property entirely since it is disabled by default. Always validate and sanitize XML input and prefer safer parsing configurations to avoid introducing security risks related to external entities.

Non-Compliant Code Examples

class XXEViewController: ViewController {


    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        parser.shouldResolveExternalEntities = true
        parser.parse()
    }
    
}

class XXEViewController: ViewController {
    func test() {
        var success: Bool
        var rawXmlConvToData: NSData = rawXml.data(using: NSUTF8StringEncoding)
        var myParser: XMLParser = NSXMLParser(data: rawXmlConvToData)
        myParser.shouldResolveExternalEntities = true
        myParser.delegate = self
        myParser.parse()
    }
}

Compliant Code Examples

class XXEViewController: ViewController {
    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        // ok: good xxe (external entities resolution disabled by default)
        parser.parse()
    }
}

class XXEViewController: ViewController {

    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        parser.shouldResolveExternalEntities = false
        parser.parse()
    }
    
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security