Matter AI | Code Reviewer Documentation

XML Vulnerabilities Overview

XML External Entity (XXE) Injection

// Anti-pattern: Vulnerable to XXE injection
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import java.io.StringReader;
import org.xml.sax.InputSource;

public Document parseXml(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    
    // Parse XML without disabling external entities
    return builder.parse(new InputSource(new StringReader(xml)));
}

// Better approach: Preventing XXE injection
public Document parseXmlSecurely(String xml) throws Exception {
    // Create a secure DocumentBuilderFactory
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    
    // Disable external entities and DTDs
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    factory.setXIncludeAware(false);
    factory.setExpandEntityReferences(false);
    
    DocumentBuilder builder = factory.newDocumentBuilder();
    return builder.parse(new InputSource(new StringReader(xml)));
}

// Anti-pattern: Vulnerable to XXE injection in PHP
function parseXml($xmlString) {
    $dom = new DOMDocument();
    $dom->loadXML($xmlString); // Vulnerable to XXE
    return $dom;
}

// Better approach: Preventing XXE injection in PHP
function parseXmlSecurely($xmlString) {
    $dom = new DOMDocument();
    
    // Disable external entities
    $prevValue = libxml_disable_entity_loader(true);
    
    // Use LIBXML_NONET to prevent network access during XML processing
    $dom->loadXML($xmlString, LIBXML_NONET);
    
    // Restore previous value
    libxml_disable_entity_loader($prevValue);
    
    return $dom;
}

# Anti-pattern: Vulnerable to XXE injection in Python
from xml.dom.minidom import parseString

def parse_xml(xml_string):
    # Vulnerable to XXE
    return parseString(xml_string)

# Better approach: Preventing XXE injection in Python
import defusedxml.minidom

def parse_xml_securely(xml_string):
    # Use defusedxml library which is secure against XXE
    return defusedxml.minidom.parseString(xml_string)

XML External Entity (XXE) injection occurs when an application processes XML input containing references to external entities, potentially leading to information disclosure, denial of service, or server-side request forgery.To prevent XXE injection:

Disable external entities and DTDs in XML parsers
Use secure XML parsing libraries (like defusedxml in Python)
Configure XML parsers to disable entity expansion
Consider using alternative data formats like JSON when possible
Implement proper input validation
Keep XML parsing libraries updated
Consider using XML schema validation
Implement proper error handling for XML parsing

XML Entity Expansion (Billion Laughs Attack)

<!-- Anti-pattern: XML with entity expansion (Billion Laughs Attack) -->
<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

// Anti-pattern: Vulnerable to entity expansion attacks
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import java.io.StringReader;
import org.xml.sax.InputSource;

public Document parseXml(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    
    // Parse XML without limiting entity expansion
    return builder.parse(new InputSource(new StringReader(xml)));
}

// Better approach: Preventing entity expansion attacks
public Document parseXmlSecurely(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    
    // Disable DTDs and external entities
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    
    // If DTDs must be allowed, limit entity expansion
    // factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
    // factory.setXIncludeAware(false);
    // factory.setExpandEntityReferences(false);
    
    // Set entity expansion limit
    System.setProperty("jdk.xml.entityExpansionLimit", "100");
    
    DocumentBuilder builder = factory.newDocumentBuilder();
    return builder.parse(new InputSource(new StringReader(xml)));
}

XML Entity Expansion attacks (also known as the Billion Laughs Attack) exploit recursive entity definitions to cause denial of service by consuming excessive memory and CPU resources.To prevent XML Entity Expansion attacks:

Disable DTDs and external entities when possible
Set entity expansion limits
Disable entity expansion altogether if not needed
Use XML parsers that are not vulnerable to entity expansion
Consider using alternative data formats like JSON
Implement proper input validation
Consider implementing timeout mechanisms for XML parsing
Monitor system resources during XML processing

XPath Injection

// Anti-pattern: Vulnerable to XPath injection
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Document;

public String getUserEmail(Document doc, String username, String password) {
    XPath xpath = XPathFactory.newInstance().newXPath();
    
    // Vulnerable to XPath injection
    String expression = "/users/user[username='" + username + "' and password='" + password + "']/email";
    
    return xpath.evaluate(expression, doc);
}

// Better approach: Preventing XPath injection
public String getUserEmailSecurely(Document doc, String username, String password) {
    XPath xpath = XPathFactory.newInstance().newXPath();
    
    // Use XPath variables instead of string concatenation
    String expression = "/users/user[username=$username and password=$password]/email";
    
    // Create a variable resolver
    SimpleVariableResolver resolver = new SimpleVariableResolver();
    resolver.addVariable("username", username);
    resolver.addVariable("password", password);
    
    xpath.setXPathVariableResolver(resolver);
    
    return xpath.evaluate(expression, doc);
}

// Simple variable resolver implementation
class SimpleVariableResolver implements XPathVariableResolver {
    private Map<QName, Object> variables = new HashMap<>();
    
    public void addVariable(String name, Object value) {
        variables.put(new QName(name), value);
    }
    
    @Override
    public Object resolveVariable(QName variableName) {
        return variables.get(variableName);
    }
}

// Anti-pattern: Vulnerable to XPath injection in PHP
function getUserEmail($xml, $username, $password) {
    $doc = new DOMDocument();
    $doc->loadXML($xml);
    
    $xpath = new DOMXPath($doc);
    
    // Vulnerable to XPath injection
    $query = "/users/user[username='$username' and password='$password']/email";
    
    $result = $xpath->query($query);
    return $result->length > 0 ? $result->item(0)->nodeValue : null;
}

// Better approach: Preventing XPath injection in PHP
function getUserEmailSecurely($xml, $username, $password) {
    $doc = new DOMDocument();
    $doc->loadXML($xml);
    
    $xpath = new DOMXPath($doc);
    
    // Use XPath variables instead of string concatenation
    $query = "/users/user[username=:username and password=:password]/email";
    
    // Register PHP variables as XPath variables
    $xpath->registerNamespace('php', 'http://php.net/xpath');
    $xpath->registerPhpFunctions();
    
    // Replace placeholders with function calls that return sanitized values
    $query = str_replace(':username', "php:functionString('addslashes', '$username')", $query);
    $query = str_replace(':password', "php:functionString('addslashes', '$password')", $query);
    
    $result = $xpath->query($query);
    return $result->length > 0 ? $result->item(0)->nodeValue : null;
}

XPath injection occurs when user input is used to construct XPath queries without proper validation or escaping, potentially allowing attackers to manipulate the query logic.To prevent XPath injection:

Use parameterized XPath queries with variable resolvers
Implement proper input validation
Consider using XPath query builders
Avoid constructing XPath expressions through string concatenation
Use the principle of least privilege for XML access
Consider using XML schema validation
Implement proper error handling that doesn’t reveal query details
Consider using alternative data access methods when possible

Server-Side Request Forgery (SSRF) via XML

<!-- Anti-pattern: XML with external entity that can cause SSRF -->
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "http://internal-server/sensitive-data" >
]>
<foo>&xxe;</foo>

// Anti-pattern: Processing XML that could lead to SSRF
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import java.io.StringReader;
import org.xml.sax.InputSource;

public Document processXmlDocument(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    
    // Vulnerable to SSRF via XXE
    return builder.parse(new InputSource(new StringReader(xml)));
}

// Better approach: Preventing SSRF via XML
public Document processXmlDocumentSecurely(String xml) throws Exception {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    
    // Disable external entities and DTDs
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    factory.setXIncludeAware(false);
    factory.setExpandEntityReferences(false);
    
    DocumentBuilder builder = factory.newDocumentBuilder();
    return builder.parse(new InputSource(new StringReader(xml)));
}

Server-Side Request Forgery (SSRF) via XML occurs when XML processors resolve external entities, allowing attackers to make the server perform requests to internal or external resources.To prevent SSRF via XML:

Disable external entity resolution in XML parsers
Disable DTD processing if possible
Implement network access controls
Use XML parsers that don’t resolve external entities by default
Consider using a whitelist of allowed resources
Implement proper input validation
Consider using alternative data formats like JSON
Implement proper error handling that doesn’t reveal sensitive information

XML Signature Wrapping

<!-- Anti-pattern: Vulnerable XML with signature -->
<soap:Envelope>
  <soap:Header>
    <wsse:Security>
      <ds:Signature>
        <ds:SignedInfo>
          <ds:Reference URI="#body">
            <!-- Signature details -->
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body wsu:Id="body">
    <ns1:getAccount>
      <accountId>12345</accountId>
    </ns1:getAccount>
  </soap:Body>
</soap:Envelope>

// Anti-pattern: Vulnerable signature validation
import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dom.*;
import org.w3c.dom.Document;

public boolean validateSignature(Document doc) throws Exception {
    NodeList signatureNodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
    if (signatureNodes.getLength() == 0) {
        return false;
    }
    
    DOMValidateContext valContext = new DOMValidateContext(keySelector, signatureNodes.item(0));
    
    // Vulnerable to signature wrapping attacks
    XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
    XMLSignature signature = factory.unmarshalXMLSignature(valContext);
    
    return signature.validate(valContext);
}

// Better approach: Secure signature validation
public boolean validateSignatureSecurely(Document doc) throws Exception {
    NodeList signatureNodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
    if (signatureNodes.getLength() == 0) {
        return false;
    }
    
    // Create validation context
    DOMValidateContext valContext = new DOMValidateContext(keySelector, signatureNodes.item(0));
    
    // Set secure validation properties
    valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
    
    // Unmarshal the signature
    XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
    XMLSignature signature = factory.unmarshalXMLSignature(valContext);
    
    // Validate the signature
    boolean coreValidity = signature.validate(valContext);
    
    if (coreValidity) {
        // Additional checks to prevent signature wrapping
        // 1. Verify that the signed element is the expected one
        SignedInfo signedInfo = signature.getSignedInfo();
        List<Reference> references = signedInfo.getReferences();
        
        for (Reference ref : references) {
            String uri = ref.getURI();
            if (uri.startsWith("#")) {
                String id = uri.substring(1);
                Element signedElement = getElementById(doc, id);
                
                // Verify it's the expected element (e.g., soap:Body)
                if (!signedElement.getLocalName().equals("Body")) {
                    return false;
                }
            }
        }
        
        return true;
    }
    
    return false;
}

// Helper method to get element by ID securely
private Element getElementById(Document doc, String id) {
    // Implement a secure getElementById method that handles potential duplicates
    // and verifies the element is in the expected position in the document
}

XML Signature Wrapping (XSW) attacks exploit vulnerabilities in the way XML signatures are validated, allowing attackers to modify signed XML documents while keeping the signature valid.To prevent XML Signature Wrapping attacks:

Implement secure signature validation that checks the position of signed elements
Use XML Canonicalization (C14N) properly
Verify that the signed element is the expected one
Implement schema validation before signature validation
Consider using additional context-based validation
Keep XML security libraries updated
Consider using alternative security mechanisms when possible
Implement proper error handling for signature validation

Insecure XML Deserialization

// Anti-pattern: Insecure XML deserialization
import java.beans.XMLDecoder;
import java.io.StringBufferInputStream;

public Object deserializeXml(String xml) {
    // Vulnerable to code execution via XML deserialization
    XMLDecoder decoder = new XMLDecoder(new StringBufferInputStream(xml));
    Object result = decoder.readObject();
    decoder.close();
    return result;
}

// Better approach: Secure alternative to XML deserialization
import javax.xml.bind.JAXBContext;
import javax.xml.bind.Unmarshaller;
import java.io.StringReader;

public MyObject deserializeXmlSecurely(String xml) throws Exception {
    // Use JAXB with a specific class instead of XMLDecoder
    JAXBContext context = JAXBContext.newInstance(MyObject.class);
    Unmarshaller unmarshaller = context.createUnmarshaller();
    
    // Add validation against a schema
    SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
    Schema schema = sf.newSchema(new File("myobject.xsd"));
    unmarshaller.setSchema(schema);
    
    return (MyObject) unmarshaller.unmarshal(new StringReader(xml));
}

// Anti-pattern: Insecure XML deserialization in PHP
function deserializeXml($xml) {
    // Vulnerable to PHP object injection via SimpleXMLElement
    $data = simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NOENT);
    return $data;
}

// Better approach: Secure XML processing in PHP
function deserializeXmlSecurely($xml) {
    // Disable external entities
    $prevValue = libxml_disable_entity_loader(true);
    
    // Use LIBXML_NONET to prevent network access
    $data = simplexml_load_string($xml, 'SimpleXMLElement', LIBXML_NONET);
    
    // Restore previous value
    libxml_disable_entity_loader($prevValue);
    
    return $data;
}

Insecure XML deserialization can lead to remote code execution, especially when using deserializers that support arbitrary code execution or object instantiation.To prevent insecure XML deserialization:

Avoid using XML deserializers that support arbitrary code execution (like Java’s XMLDecoder)
Use safer alternatives like JAXB with specific classes
Implement schema validation before deserialization
Disable external entities and DTDs
Consider using alternative data formats like JSON
Implement proper input validation
Keep deserialization libraries updated
Implement proper error handling for deserialization

XML Injection

// Anti-pattern: Vulnerable to XML injection
public String createXmlDocument(String username, String email) {
    // Directly inserting user input into XML
    return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
           "<user>\n" +
           "  <username>" + username + "</username>\n" +
           "  <email>" + email + "</email>\n" +
           "</user>";
}

// Better approach: Preventing XML injection
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import java.io.StringWriter;

public String createXmlDocumentSecurely(String username, String email) throws Exception {
    // Create a new document using the DOM API
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    Document doc = builder.newDocument();
    
    // Create elements and set text content (automatically escaped)
    Element rootElement = doc.createElement("user");
    doc.appendChild(rootElement);
    
    Element usernameElement = doc.createElement("username");
    usernameElement.setTextContent(username); // Properly escaped
    rootElement.appendChild(usernameElement);
    
    Element emailElement = doc.createElement("email");
    emailElement.setTextContent(email); // Properly escaped
    rootElement.appendChild(emailElement);
    
    // Convert DOM to string
    TransformerFactory transformerFactory = TransformerFactory.newInstance();
    Transformer transformer = transformerFactory.newTransformer();
    StringWriter writer = new StringWriter();
    transformer.transform(new DOMSource(doc), new StreamResult(writer));
    
    return writer.toString();
}

// Anti-pattern: Vulnerable to XML injection in PHP
function createXmlDocument($username, $email) {
    // Directly inserting user input into XML
    return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" .
           "<user>\n" .
           "  <username>" . $username . "</username>\n" .
           "  <email>" . $email . "</email>\n" .
           "</user>";
}

// Better approach: Preventing XML injection in PHP
function createXmlDocumentSecurely($username, $email) {
    // Create a new document using the DOM API
    $doc = new DOMDocument('1.0', 'UTF-8');
    
    // Create elements and set text content (automatically escaped)
    $rootElement = $doc->createElement('user');
    $doc->appendChild($rootElement);
    
    $usernameElement = $doc->createElement('username');
    $usernameElement->appendChild($doc->createTextNode($username)); // Properly escaped
    $rootElement->appendChild($usernameElement);
    
    $emailElement = $doc->createElement('email');
    $emailElement->appendChild($doc->createTextNode($email)); // Properly escaped
    $rootElement->appendChild($emailElement);
    
    return $doc->saveXML();
}

XML injection occurs when user input is directly inserted into XML documents without proper escaping, potentially allowing attackers to manipulate the XML structure.To prevent XML injection:

Use XML APIs to create and manipulate XML documents
Avoid string concatenation for XML generation
Implement proper input validation
Use XML escaping functions when necessary
Consider using XML schema validation
Implement proper error handling for XML operations
Consider using template systems with automatic escaping
Regularly test for XML injection vulnerabilities

XML Vulnerabilities Prevention Checklist

XML Vulnerabilities Prevention Checklist:

1. XML Parser Configuration
   - Disable external entities and DTDs
   - Disable entity expansion or set expansion limits
   - Use secure XML parsing libraries
   - Disable network access during XML processing
   - Configure XML parsers securely by default

2. Input Validation and Sanitization
   - Validate XML against a schema before processing
   - Implement proper input validation for XML data
   - Use XML APIs instead of string concatenation
   - Consider using XML escaping functions
   - Implement proper error handling for XML operations

3. XML Processing Best Practices
   - Consider using alternative data formats like JSON
   - Use parameterized XPath queries
   - Implement proper access controls for XML resources
   - Keep XML processing libraries updated
   - Avoid using XML for sensitive operations when possible

4. XML Security Features
   - Implement proper XML signature validation
   - Use XML Canonicalization (C14N) properly
   - Consider using XML encryption for sensitive data
   - Implement proper key management for XML security
   - Regularly test XML security implementations

5. Secure Deserialization
   - Avoid using XML deserializers that support arbitrary code execution
   - Use safer alternatives with specific classes
   - Implement schema validation before deserialization
   - Consider using alternative serialization formats
   - Implement proper error handling for deserialization

6. Testing and Monitoring
   - Regularly test for XML vulnerabilities
   - Implement proper logging for XML operations
   - Monitor for suspicious XML activity
   - Consider using XML security scanning tools
   - Implement proper error handling that doesn't reveal sensitive information

Preventing XML vulnerabilities requires a comprehensive approach that addresses parser configuration, input validation, and secure XML processing practices.Key prevention strategies:

Disable dangerous XML features like external entities
Use secure XML parsing libraries and configurations
Implement proper input validation and sanitization
Follow XML security best practices
Keep all XML processing libraries updated
Consider using alternative data formats when appropriate
Regularly test for XML vulnerabilities
Implement proper error handling and monitoring

Introduction

Getting Started

Features

Patterns

Integrations

Enterprise

XML Vulnerabilities