{ "id": "api/xml-parse-error-entity-expansion", "signature": "400 Bad Request: XML parse error - entity expansion limit exceeded", "signature_zh": "400 错误请求:XML 解析错误 - 实体扩展超出限制", "regex": "400 Bad Request: XML parse error - entity expansion limit exceeded", "domain": "api", "category": "data_error", "subcategory": null, "root_cause": "The XML request body contains deeply nested or numerous entity references that exceed the parser's entity expansion limit (e.g., billion laughs attack protection).", "root_cause_type": "generic", "root_cause_zh": "XML 请求体包含深度嵌套或大量实体引用,超过了解析器的实体扩展限制(例如,十亿笑攻击保护)。", "versions": [ { "version": "Java Xerces 2.12+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Python defusedxml 0.7+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "libxml2 2.9+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Spring Boot 3.x", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "This may make the application vulnerable to denial-of-service attacks; also, the error may still occur if the input is malicious.", "fail_rate": 0.6, "condition": "", "sources": [] }, { "action": "", "why_fails": "Most secure parsers have similar limits; the underlying issue is the input data, not the parser.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "", "why_fails": "This removes security protections and may allow injection attacks, without fixing the entity expansion problem.", "fail_rate": 0.8, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Validate and sanitize XML input before parsing. Example using Python defusedxml:\nfrom defusedxml import ElementTree\nimport io\n# This parser will raise an exception on entity expansion attacks\ntry:\n tree = ElementTree.parse(io.StringIO(xml_string))\nexcept EntitiesForbidden:\n print('Entity expansion attack detected')", "success_rate": 0.9, "how": "Validate and sanitize XML input before parsing. Example using Python defusedxml:\nfrom defusedxml import ElementTree\nimport io\n# This parser will raise an exception on entity expansion attacks\ntry:\n tree = ElementTree.parse(io.StringIO(xml_string))\nexcept EntitiesForbidden:\n print('Entity expansion attack detected')", "condition": "", "sources": [] }, { "action": "Use a JSON or other non-XML format for the API if XML entity expansion is not required.", "success_rate": 0.85, "how": "Use a JSON or other non-XML format for the API if XML entity expansion is not required.", "condition": "", "sources": [] }, { "action": "Implement a custom input filter to reject XML with excessive entity declarations before parsing.", "success_rate": 0.8, "how": "Implement a custom input filter to reject XML with excessive entity declarations before parsing.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Validate and sanitize XML input before parsing. Example using Python defusedxml:\nfrom defusedxml import ElementTree\nimport io\n# This parser will raise an exception on entity expansion attacks\ntry:\n tree = ElementTree.parse(io.StringIO(xml_string))\nexcept EntitiesForbidden:\n print('Entity expansion attack detected')", "Use a JSON or other non-XML format for the API if XML entity expansion is not required.", "Implement a custom input filter to reject XML with excessive entity declarations before parsing." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.83, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2024-01-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }