DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Audit required: XML package may be vulnerable to XXE attacks GO-S0903

Security
Major
 a05 cwe-611 cwe-827 sans top 25 owasp top 10

XML specification allows the use of entities that can be internal or external (file system/network access, etc.) which could lead to vulnerabilities such as SSRF or confidential file disclosures. XML package (Go binding to libxml2) might be vulnerable to XXE attacks. When dealing with external entities, one must be very careful when using the package, allowing an attacker to access sensitive data on the filesystem.

If the XML parser is tuned using ParseOption values such as XML_PARSE_NOENT, which could make the parser vulnerable to XXE Attack and there could be more similar options. It is expected that packages having binding for libxml2 are vulnerable to XXE attacks.

Bad practice

package main

import (
  "github.com/lestrrat-go/libxml2"
)

func foo() {
  d, err := libxml2.ParseString(xmlstring)
  // ...
}

References