ruby.rails.security.audit.xxe.xml-external-entities-enabled.xml-external-entities-enabled
semgrep
Author
unknown
Download Count*
License
This application is explicitly enabling external entities enabling an attacker to inject malicious XML to exploit an XML External Entities (XXE) vulnerability. This could let the attacker cause a denial-of-service by forcing the parser to parse large files, or at worst, let the attacker download sensitive files or user data. Use the built-in Rails XML parser, REXML, instead.
Run Locally
Run in CI
Defintion
rules:
- id: xml-external-entities-enabled
languages:
- ruby
patterns:
- pattern-either:
- pattern-inside: |
LibXML::XML.class_eval do
...
end
- pattern-inside: |
XML.class_eval do
...
end
- pattern: XML.default_substitute_entities = true
severity: ERROR
message: This application is explicitly enabling external entities enabling an
attacker to inject malicious XML to exploit an XML External Entities (XXE)
vulnerability. This could let the attacker cause a denial-of-service by
forcing the parser to parse large files, or at worst, let the attacker
download sensitive files or user data. Use the built-in Rails XML parser,
REXML, instead.
metadata:
references:
- https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
technology:
- rails
- libxml
category: security
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
Examples
xml-external-entities-enabled.rb
require 'xml'
require 'libxml'
# Change the ActiveSupport XML backend from REXML to LibXML
ActiveSupport::XmlMini.backend = 'LibXML'
LibXML::XML.class_eval do
def self.default_substitute_entities
# ruleid: xml-external-entities-enabled
XML.default_substitute_entities = true
end
end
LibXML::XML.class_eval do
def self.default_substitute_entities
# ok: xml-external-entities-enabled
XML.default_substitute_entities = false
end
end
Short Link: https://sg.run/KLvY