api
data_error
ai_generated
true
400 错误请求:XML 解析错误 - 实体扩展超出限制
400 Bad Request: XML parse error - entity expansion limit exceeded
ID: api/xml-parse-error-entity-expansion
85%修复率
83%置信度
1证据数
2024-01-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Java Xerces 2.12+ | active | — | — | — |
| Python defusedxml 0.7+ | active | — | — | — |
| libxml2 2.9+ | active | — | — | — |
| Spring Boot 3.x | active | — | — | — |
根因分析
XML 请求体包含深度嵌套或大量实体引用,超过了解析器的实体扩展限制(例如,十亿笑攻击保护)。
English
The XML request body contains deeply nested or numerous entity references that exceed the parser's entity expansion limit (e.g., billion laughs attack protection).
官方文档
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html解决方案
-
Validate and sanitize XML input before parsing. Example using Python defusedxml: from defusedxml import ElementTree import io # This parser will raise an exception on entity expansion attacks try: tree = ElementTree.parse(io.StringIO(xml_string)) except EntitiesForbidden: print('Entity expansion attack detected') -
Use a JSON or other non-XML format for the API if XML entity expansion is not required.
-
Implement a custom input filter to reject XML with excessive entity declarations before parsing.
无效尝试
常见但无效的做法:
-
60% 失败
This may make the application vulnerable to denial-of-service attacks; also, the error may still occur if the input is malicious.
-
50% 失败
Most secure parsers have similar limits; the underlying issue is the input data, not the parser.
-
80% 失败
This removes security protections and may allow injection attacks, without fixing the entity expansion problem.