xmerl allows XXE by default

[feld]

Hello,

xmerl is possibly the most mature XML parsing library in the Erlang ecosystem, but unfortunately it permits XXE vulnerabilities by default. Can this be disabled so everyone writing XML parsing code doesn't have to provide a custom fetch_fun for xmerl_scan or setting {allow_entities, False} to close the security hole?

This also affects some downstream consumers, including some wrappers for Elixir

https://vuln.be/post/xxe-in-erlang-and-elixir/

[lanodan]

Alternatively it should at least be documented, for example:

diff --git a/lib/xmerl/src/xmerl_scan.erl b/lib/xmerl/src/xmerl_scan.erl
index 62b5dd8..77c7b9a 100644
--- a/lib/xmerl/src/xmerl_scan.erl
+++ b/lib/xmerl/src/xmerl_scan.erl
@@ -36,6 +36,12 @@
 %% functions.
 %% </p>
 %% <p>
+%% <strong>Warning:</strong> By default XML entities, including external ones
+%% are loaded, this can lead to XML External Entity (XXE) vulnerabilities if
+%% you're parsing untrusted XML.<br />
+%% To avoid this you need to pass <code>{allow_entities, False}</code>.
+%% </p>
+%% <p>
 %% Possible options are:
 %% </p>
 %% <dl>

(My example might not be right, I write Elixir code rather than Erlang)

[kikofernandez]

We are discussing internally if we could change the defaults. The main issue is (as always) breaking backwards compatibility.
I will post any decision here. Thanks for opening the ticket

[kikofernandez]

@feld we are looking into solving this, possibly by changing the default as {allow_entities, false}
The delay is due to breaking backwards compatibility and deciding on whether we add this to OTP-27, but we are working on it and will soon (a week or two) come to a conclusion

[kikofernandez]

Same as before. We are working on it, slowly but steady considering options and fixes, to break backwards compatibility as little as possible. If you have any suggestions, please bring them on :)

[lthor]

The default values are changed to avoid XML External Entity (XXE) vulnerabilities if one are parsing untrusted XML.
xmerl_scan: the default value for allow_entities has changed to false.
xmerl_sax_parser: the default value for external_entities has changed to none.