Talk:XML External Entity (XXE) Prevention Cheat Sheet

The following code suffers from XXE despite the XMLReader recommendations in OWASP that these setFeatures would resolve it.

However, this is not true for XOM.nu (tested on version 1.2.5), a third party XML plugin. I don't know how popular it is, but it is used by Jenkins. Not implying Jenkins is vulnerable, merely that a lib it uses doesn't have proper OWASP usage recommendation.

Anyway, assuming the content of c:\test.txt is "This is TEXT inside the file C:\test.txt"

import java.io.InputStream; import org.apache.commons.io.IOUtils; import org.dom4j.io.SAXReader; import org.xml.sax.XMLReader; import org.xml.sax.helpers.XMLReaderFactory; import nu.xom.*; public class helloworld { public static void main(String[] args) throws Exception { //To get this to run, the file c:\test.txt must exist and have content. alternatively, change the path in <!ENTITY xxe SYSTEM "file:///[file]" String newline = System.getProperty("line.separator"); String xml = "" + newline + "<!DOCTYPE bar [" + newline + "<!ENTITY xxe SYSTEM \"file:///c:/test.txt\">" + newline + "]>" + newline + " "+ newline + " &xxe; "+ newline + " 11112222333 "+ newline + " The Great Big Useless Book of XMLs "+ newline + " ";         // Vulnerable XOM Parser XMLReader xerces = XMLReaderFactory.createXMLReader; //xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); xerces.setFeature("http://xml.org/sax/features/external-general-entities", false); xerces.setFeature("http://xml.org/sax/features/external-parameter-entities", false); xerces.setFeature("http://apache.org/xml/features/nonvalidating/load-   external-dtd",false); Builder b = new Builder(xerces); InputStream is2 = IOUtils.toInputStream(xml, "UTF-8"); Document d = b.build(is2); System.out.println("XOM Reader: " + d.getValue); }   }

Output: XOM Reader: This is TEXT inside the file C:\test.txt 11112222333 The Great Big Useless Book of XMLs

However, by uncommenting //xerces.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); a 'nu.xom.ParsingException' is thrown for this XML, preventing exploitation.

This leads us (Checkmarx Research Group) to believe the recommendations in OWASP for XMLReader are partial; We actually advise removing direct explicit recommendations entirely and demand devs to adhere to specific platform best practices and documentation, instead.