# XXE

#### XXE in Java

**Vulnerability:** XML External Entities (XXE)

**Vulnerable Code:**

```java
javaCopy codeDocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(new File("input.xml"));
```

**Reason for vulnerability:** This code does not disable external entity processing, allowing an attacker to read arbitrary files or perform SSRF attacks.

**Fixed Code:**

```java
javaCopy codeDocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(new File("input.xml"));
```

**Reason for fix:** Disabling the DOCTYPE declaration prevents external entities from being processed, mitigating XXE vulnerabilities.

***

**Example 2: Python**

**Vulnerable Code:**

```python
pythonCopy codetree = ET.parse('file.xml')
```

**Reason for vulnerability:** External entities are enabled by default, allowing XXE attacks.

**Fixed Code:**

```python
pythonCopy codeparser = ET.XMLParser(resolve_entities=False)
tree = ET.parse('file.xml', parser=parser)
```

**Reason for fix:** Disable external entities to prevent XXE attacks.

***

### Java Example

#### Vulnerable Code:

```java
javaCopyimport javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;

public class XMLParser {
    public Document parseXML(String xmlString) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        DocumentBuilder builder = factory.newDocumentBuilder();
        return builder.parse(new InputSource(new StringReader(xmlString)));
    }
}
```

#### Reason for Vulnerability:

This code uses the default configuration of DocumentBuilderFactory, which allows external entity resolution, potentially leading to XXE attacks.

#### Fixed Code:

```java
javaCopyimport javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;

public class XMLParser {
    public Document parseXML(String xmlString) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        factory.setXIncludeAware(false);
        factory.setExpandEntityReferences(false);
        DocumentBuilder builder = factory.newDocumentBuilder();
        return builder.parse(new InputSource(new StringReader(xmlString)));
    }
}
```

#### Reason for Fix:

The fixed code disables external entity resolution and other potentially dangerous features, preventing XXE attacks.

### Java Example

#### Vulnerable Code:

```java
javaCopyimport org.dom4j.Document;
import org.dom4j.io.SAXReader;

public class XMLProcessor {
    public Document processXML(InputStream xmlStream) throws Exception {
        SAXReader reader = new SAXReader();
        return reader.read(xmlStream);
    }
}
```

#### Reason for Vulnerability:

This code uses the default configuration of SAXReader, which allows external entity resolution, potentially leading to XXE attacks.

#### Fixed Code:

```java
javaCopyimport org.dom4j.Document;
import org.dom4j.io.SAXReader;
import org.xml.sax.SAXException;

public class XMLProcessor {
    public Document processXML(InputStream xmlStream) throws Exception {
        SAXReader reader = new SAXReader();
        reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
        reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        return reader.read(xmlStream);
    }
}
```

#### Reason for Fix:

The fixed code disables external entity resolution and DOCTYPE declarations, preventing XXE attacks when using dom4j.

### Python Example

#### Vulnerable Code:

```python
pythonCopyfrom lxml import etree

def parse_xml(xml_string):
    parser = etree.XMLParser()
    root = etree.fromstring(xml_string, parser)
    return root
```

#### Reason for Vulnerability:

This code uses the default XMLParser from lxml, which allows entity expansion and external entity resolution, potentially leading to XXE attacks.

#### Fixed Code:

```python
pythonCopyfrom lxml import etree

def parse_xml(xml_string):
    parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False)
    root = etree.fromstring(xml_string, parser)
    return root
```

#### Reason for Fix:

The fixed code configures the XMLParser to disable entity resolution, network access, and DTD validation, preventing XXE attacks when using lxml.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/devsecops/secure-coding/code-review-examples/xxe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.