ruby.rails.security.audit.xxe.libxml-backend.libxml-backend
semgrep
Author
unknown
Download Count*
License
This application is using LibXML as the XML backend. LibXML can be vulnerable to XML External Entities (XXE) vulnerabilities. Use the built-in Rails XML parser, REXML, instead.
Run Locally
Run in CI
Defintion
rules:
- id: libxml-backend
languages:
- ruby
pattern: ActiveSupport::XmlMini.backend = "LibXML"
severity: WARNING
message: This application is using LibXML as the XML backend. LibXML can be
vulnerable to XML External Entities (XXE) vulnerabilities. Use the
built-in Rails XML parser, REXML, instead.
metadata:
references:
- https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
technology:
- rails
- libxml
category: security
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
Examples
libxml-backend.rb
# cf. https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/
require 'xml'
require 'libxml'
# ruleid: libxml-backend
ActiveSupport::XmlMini.backend = 'LibXML'
# ok: libxml-backend
ActiveSupport::XmlMini.backend = 'REXML'
# ok: libxml-backend
ActiveSupport::XmlMini.backend = 'Nokogiri'
# Deny entity replacement in LibXML parsing
LibXML::XML.class_eval do
def self.default_substitute_entities
XML.default_substitute_entities = false
end
end
Short Link: https://sg.run/0AXq