ruby.rails.security.audit.xxe.libxml-backend.libxml-backend

profile photo of semgrepsemgrep
Author
unknown
Download Count*

This application is using LibXML as the XML backend. LibXML can be vulnerable to XML External Entities (XXE) vulnerabilities. Use the built-in Rails XML parser, REXML, instead.

Run Locally

Run in CI

Defintion

rules:
  - id: libxml-backend
    languages:
      - ruby
    pattern: ActiveSupport::XmlMini.backend = "LibXML"
    severity: WARNING
    message: This application is using LibXML as the XML backend. LibXML can be
      vulnerable to XML External Entities (XXE) vulnerabilities. Use the
      built-in Rails XML parser, REXML, instead.
    metadata:
      references:
        - https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/
        - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
      technology:
        - rails
        - libxml
      category: security
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection

Examples

libxml-backend.rb

# cf. https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/

require 'xml'
require 'libxml'

# ruleid: libxml-backend
ActiveSupport::XmlMini.backend = 'LibXML'

# ok: libxml-backend
ActiveSupport::XmlMini.backend = 'REXML'

# ok: libxml-backend
ActiveSupport::XmlMini.backend = 'Nokogiri'

# Deny entity replacement in LibXML parsing
LibXML::XML.class_eval do
  def self.default_substitute_entities
    XML.default_substitute_entities = false
  end
end