Parser should not resolve external entiries

This product is not supported for your selected Datadog site. ().

Metadata

ID: swift-security/xxe-parser

Language: Unknown

Severity: Warning

Category: Security

CWE: 611

Description

This rule ensures that XML parsers do not resolve external entities during parsing. Resolving external entities can expose applications to XML External Entity (XXE) attacks, where malicious XML input can access sensitive files, cause denial of service, or execute remote requests. Preventing the resolution of external entities helps protect the application from these security vulnerabilities.

It is important to disable the shouldResolveExternalEntities property on XML parser instances or leave it unset, as it defaults to false in most implementations. This reduces the attack surface by preventing the parser from fetching or processing external resources referenced in the XML content. Developers should explicitly set parser.shouldResolveExternalEntities = false or avoid enabling it unless absolutely necessary.

To comply with this rule, ensure your XML parsing code does not enable external entity resolution. For example, write parser.shouldResolveExternalEntities = false or omit this property entirely since it is disabled by default. Always validate and sanitize XML input and prefer safer parsing configurations to avoid introducing security risks related to external entities.

Non-Compliant Code Examples

class XXEViewController: ViewController {


    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        parser.shouldResolveExternalEntities = true
        parser.parse()
    }
    
}

class XXEViewController: ViewController {
    func test() {
        var success: Bool
        var rawXmlConvToData: NSData = rawXml.data(using: NSUTF8StringEncoding)
        var myParser: XMLParser = NSXMLParser(data: rawXmlConvToData)
        myParser.shouldResolveExternalEntities = true
        myParser.delegate = self
        myParser.parse()
    }
}

Compliant Code Examples

class XXEViewController: ViewController {
    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        // ok: good xxe (external entities resolution disabled by default)
        parser.parse()
    }
}

class XXEViewController: ViewController {

    func test(xml: String) {
        parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
        parser.delegate = self
        parser.shouldResolveExternalEntities = false
        parser.parse()
    }
    
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security