Veracode XML External Entity Reference (XXE)

Question

I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow

...

  DocumentBuilderFactory dbf=null;      
  DocumentBuilder db = null;    
  try {         
        dbf=DocumentBuilderFactory.newInstance();  
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 
        dbf.setExpandEntityReferences(false); 
        dbf.setXIncludeAware(false);        
        dbf.setValidating(false); 
        dbf.newDocumentBuilder();   
        InputStream stream = new ByteArrayInputStream(datosXml.getBytes());
        Document doc = db.parse(stream, "");            

...

I've been researching but I haven't found out a reason for this finding or a way of making it disappear. Could you tell me how to do it?

Answer 1

Have you seen the OWASP guide about XXE?

You are not disabling the 3 features you should disable. Most importantly the first one:

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Answer 2

Background:

The XXE attack is constructed around XML language capabilities to define arbitrary entities using the external Data Type Definition (DTD) and the ability to read or execute files.

Below is an example of XML file containing DTD declaration that when processed may return output of local “/etc/passwd” file:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE test [
    <!ELEMENT test ANY >
    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

Mitigation:

To avoid exploitation of XEE vulnerability the best approach is to disable the ability to load entities from external source.

Now the way to disable the DTDs will defer depending upon the language used (Java,C++, .NET) and the XML parser being used (DocumentBuilderFactory, SAXParserFactory, TransformerFactory to name a few considering the java language).

Below two official references provides the best information on how to achieve the same.

https://rules.sonarsource.com/java/RSPEC-2755

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md