Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code configures Rails to use LibXML for XML parsing, which can expose the application to XML External Entity (XXE) attacks. LibXML does not safely handle potentially dangerous XML input compared to the default REXML parser.
Impact#
If exploited, attackers could read sensitive files, perform server-side request forgery (SSRF), or cause denial of service by sending specially crafted XML data. This could lead to data breaches or unauthorized access to internal resources.