go.lang.security.audit.xxe.parsing-external-entities-enabled.parsing-external-entities-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected enabling of "XMLParseNoEnt", which allows parsing of external entities and can lead to XXE if user controlled data is parsed by the library. Instead, do not enable "XMLParseNoEnt" or be sure to adequately sanitize user-controlled data when it is being parsed by this library.

Run Locally

Run in CI

Defintion

rules:
  - id: parsing-external-entities-enabled
    patterns:
      - pattern-inside: |
          import ("github.com/lestrrat-go/libxml2/parser")
          ...
      - pattern: $PARSER := parser.New(parser.XMLParseNoEnt)
    message: Detected enabling of "XMLParseNoEnt", which allows parsing of external
      entities and can lead to XXE if user controlled data is parsed by the
      library. Instead, do not enable "XMLParseNoEnt" or be sure to adequately
      sanitize user-controlled data when it is being parsed by this library.
    languages:
      - go
    severity: WARNING
    metadata:
      category: security
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      references:
        - https://knowledge-base.secureflag.com/vulnerabilities/xml_injection/xml_entity_expansion_go_lang.html
        - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
      technology:
        - libxml2
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection

Examples

parsing-external-entities-enabled.go

import (
	"fmt"
	"github.com/lestrrat-go/libxml2/parser"
)

func vuln() {
	const s = "<!DOCTYPE d [<!ENTITY e SYSTEM \"file:///etc/passwd\">]><t>&e;</t>"
	// ruleid: parsing-external-entities-enabled
	p := parser.New(parser.XMLParseNoEnt)
	doc, err := p.ParseString(s)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println("Doc successfully parsed!")
	fmt.Println(doc)
}

func not_vuln() {
	const s = "<!DOCTYPE d [<!ENTITY e SYSTEM \"file:///etc/passwd\">]><t>&e;</t>"
	// ok: parsing-external-entities-enabled
	p := parser.New()
	doc, err := p.ParseString(s)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println("Doc successfully parsed!")
	fmt.Println(doc)
}