(HCL AppScan) Fixed finding: "Potential External Entities (XXE) attack vector discovered"

[ghost]

Remediation

This change fixes "Potential External Entities (XXE) attack vector discovered" (id = Potential External Entities (XXE) attack vector discovered) identified by HCL AppScan.

Details

This change prevents XML parsing APIs from resolving external entities, which can protect you from arbitrary code execution, sensitive data exfiltration, and probably a bunch more evil things attackers are still discovering.

Without this protection, attackers can cause your parser to retrieve sensitive information with attacks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<book>
    <title>&xxe;</title>
</book>

Yes, it's pretty insane that this is the default behavior. Our change hardens the factories created with the necessary security features to prevent your parser from resolving external entities.

More reading

• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
• https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: appscan:java/potential-external-entities