XML parsing vulnerable to XXE (XMLStreamReader)

Bug Pattern: XXE_XMLSTREAMREADER

Attack

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source.

Risk 1: Expose local file content (XXE: XML eXternal Entity)

  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <!DOCTYPE foo [
  3.    <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
  4. <foo>&xxe;</foo>

Risk 2: Denial of service (XEE: Xml Entity Expansion)

  1. <?xml version="1.0"?>
  2. <!DOCTYPE lolz [
  3.  <!ENTITY lol "lol">
  4.  <!ELEMENT lolz (#PCDATA)>
  5.  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  6.  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  7.  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  8. [...]
  9.  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
  10. ]>
  11. <lolz>&lol9;</lolz>

Solution

In order to avoid exposing dangerous feature of the XML parser, you can do the following change to the code.

Vulnerable Code:

  1. public void parseXML(InputStream input) throws XMLStreamException {
  3.     XMLInputFactory factory = XMLInputFactory.newFactory();
  4.     XMLStreamReader reader = factory.createXMLStreamReader(input);
  5.     [...]
  6. }

The following snippets show two available solutions. You can set one property or both.

Solution disabling External Entities:

  1. public void parseXML(InputStream input) throws XMLStreamException {
  3.     XMLInputFactory factory = XMLInputFactory.newFactory();
  4.     factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
  5.     XMLStreamReader reader = factory.createXMLStreamReader(input);
  6.     [...]
  7. }

Solution disabling DTD:

  1. public void parseXML(InputStream input) throws XMLStreamException {
  3.     XMLInputFactory factory = XMLInputFactory.newFactory();
  4.     factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
  5.     XMLStreamReader reader = factory.createXMLStreamReader(input);
  6.     [...]
  7. }

References
CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’)
CERT: IDS10-J. Prevent XML external entity attacks
OWASP.org: XML External Entity (XXE) Processing
WS-Attacks.org: XML Entity Expansion
WS-Attacks.org: XML External Entity DOS
WS-Attacks.org: XML Entity Reference Attack
Identifying Xml eXternal Entity vulnerability (XXE)
JEP 185: Restrict Fetching of External XML Resources