GROW
CODA App

config

Disable entity expansion

This issue is found automatically by CODA.
Time to fix: 30min

What is XML?

XML, or Extensible Markup Language, is a markup language that defines rules for encoding documents in a format that is both human-readable and machine-readable. It was designed to store and transport data, with a focus on simplicity, versatility, and descriptiveness. XML is commonly used for representing structured data in various applications, such as configuration files, data exchange between systems, web services, and more. In essence, XML is a powerful way to store data in a format that can be stored, searched, and shared.

Why is this an issue?

XML entities can be expanded during parsing, and an XML Entity Expansion Attack occurs when an attacker manipulates the input data in a way that leads to excessive entity expansion during parsing. An attacker could use this to consume excessive system resources during parsing, potentially causing a denial-of-service condition.

The glide.stax.allow_entity_resolution property System Property serves the purpose of entirely deactivating the expansion of external entities. Although the XML parsing process is successfully executed, it excludes both internal and external entities. When this property is not appropriately configured, it opens up the possibility for an attacker to exploit a vulnerability.

How do I fix it?

Before resolving this issue by defining the correct value for this property, several steps must be completed. These steps are related to other System Properties that control the behavior of XML. In summary, these steps will enable the validation of external entities and only allow the processing of those included in the list. To proceed, follow these steps

  1. In the Filter Navigator, type and enter sys_properties.list.

  2. Search for glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled.

  3. Set Value tab to true for both of them.

  4. Search for glide.xml.entity.whitelist and open the record.

  5. Define a list of comma-delimited fully qualified domain names (FQDN) in the property. These FQDNs represent the only URLs that can be accessed using XML Entity processing. Add these URLs to the Value field, separated by commas, such as http://java.com, http://servicenow.com and Save.

  6. Once you have completed the previously mentioned steps, search for glide.stax.allow_entity_resolution property.

  7. Set Value tab to false.