XML External Entity High

Objects that parse or handle XML data can lead to XML External Entity (XXE) attacks when not configured properly. Improper restriction of XML external entity processing can lead to server-side request forgery and information disclosure.

Detector ID
ruby/xml-external-entity@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def xml_external_entity_noncompliant()
2  # Noncompliant: Disabling encryption of sensitive data
3  config.force_ssl = false
4end

Compliant example

1def xml_external_entity_compliant()
2  # Compliant: Sensitive data is encrypted
3  config.force_ssl = true
4end