---
title: Prevent XXE attack from XML parser
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Prevent XXE attack from XML parser
---

# Prevent XXE attack from XML parser

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `kotlin-security/avoid-xml-xxe`

**Language:** Kotlin

**Severity:** Error

**Category:** Security

**CWE**: [611](https://cwe.mitre.org/data/definitions/611.html)

## Description{% #description %}

This rule aims to prevent XXE (XML External Entity) attacks by ensuring that the XML parser is configured safely in Kotlin. XXE attacks occur when an XML parser processes an XML document that contains a reference to an external entity. This can lead to unwanted disclosure of confidential data, denial of service, server side request forgery, port scanning, or other system impacts.

XXE attacks can have serious security implications, potentially allowing an attacker to read sensitive data from the server, interact with any back-end or external systems that the application can access, or carry out denial-of-service attacks.

To avoid this, disable DTDs (Document Type Definitions) completely, if your application does not require them by setting the `http://apache.org/xml/features/disallow-doctype-decl` feature to `true`. If DTDs must be enabled, enable secure processing (`XMLConstants.FEATURE_SECURE_PROCESSING`), limit access to external DTDs (`XMLConstants.ACCESS_EXTERNAL_DTD`), and disable external parameter entities (`http://xml.org/sax/features/external-parameter-entities`). By following these practices, you can ensure that your Kotlin code is not vulnerable to XXE attacks.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```kotlin
fun parseXmlUnsafe(input: File) {
    // WARNING: Vulnerable to XXE attacks
    val factory = DocumentBuilderFactory.newInstance()
    val builder = factory.newDocumentBuilder()
    val doc = builder.parse(input)  // Unsafe parsing
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```kotlin
fun parseXmlSafe(input: File) {
    val factory = DocumentBuilderFactory.newInstance().apply {
        // Disable DTDs completely - recommended approach
        setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
        
        // Alternative security configurations if DTDs must be enabled:
        setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
        setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "")
        setFeature("http://xml.org/sax/features/external-parameter-entities", false)
    }
    val builder = factory.newDocumentBuilder()
    val doc = builder.parse(input)  // Safe parsing
}

fun parseXmlSafe2(input: File) {
    val factory = DocumentBuilderFactory.newInstance()
    
    // Disable DTDs completely - recommended approach
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
    
    // Additional security configurations if needed:
    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "")
    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
    
    val builder = factory.newDocumentBuilder()
    val doc = builder.parse(input)  // Safe parsing
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}