Reputation: 1350
How to check for external entities in a set of XML files
In order to avoid a whole class of security vulnerabilities, I want to disable external entity expansion when parsing XML documents in my application.
However, I want to ensure that we don't have any code that depends on this behaviour, first.
We have good unit test coverage, using a large number of XML files, so if none of these include external entities, then I am fairly certain that it will be safe to disable this feature in the XML parser.
My question: What can I can search for in order to catch all potential uses of external entities in our test data?
It can be a straight string-search or a regex, if necessary. It can also be a set of searches if that is simpler (I'd rather an easy-to-understand set of 4 strings to search for, than a single regex covering four variants).
I don't mind if the search returns false-positives provided there is a simple visual inspection that can be done to determine that they are false positives (e.g. must contain a URL), but there mustn't be any false negatives (i.e. I don't want to miss anything).
Upvotes: 1
Views: 217
Answers (1)
Reputation: 163587
Try parsing them using a SAX parser having first set an EntityResolver to intercept calls for external entity resolution.
Upvotes: 0
Related Questions
- Comparing the content of multiple XML Files and Match them
- How to check for multiple well formed XMLs inside a folder using xmllint
- Checking multiple XML files
- XML entity from other file if one file doesn't exist
- Check if xml files contain specific tags in PHP
- How can I check whether a node exists in an XML file?
- Checking if element exists in XML file
- testing if a tag is present in a xml file
- Java: Given a List of file names, make sure the corresponding XML only contains information about these filess
- how to check if xml document has a certain list of attributes?