Consider the following vulnerable Ruby on Rails example, which uses the
Nokogiri library to parse the XML. Assume there is a builder in the background forming the XML response from the
@response = Nokogiri::XML(request.body) do |config| config.strict.noent end
The way in which the parser is configured introduces an XML Entity Expansion vulnerability, which can be exploited by sending a specially crafted XML document to expose arbitrary files; for example,
<!DOCTYPE doc [ <!ELEMENT elem ANY><!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <element>Legitimate Data&xxe;</element>
Note the above example inserts the
xxe entity within the
element. In some use cases, an XML response will use elements from the request; therefore, it is insufficient to solely filter out unwanted elements.
noent option configures
Nokogiri to expand entities, introducing the vulnerability. In many XML parsing libraries, including
Nokogiri, the default is to not do so. However, they may be configured to expand entities, such as in the example above with the
To remediate this, it is best to explicitly disable entity expansion; defaults may change.
The fixed code below parses XML safely by disabling entity expansion with the
@response = Nokogiri::XML(request.body) do |config| config.strict.nonoent end