This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
This rule aims to prevent XXE (XML External Entity) attacks by ensuring that the XML parser is configured safely in Kotlin. XXE attacks occur when an XML parser processes an XML document that contains a reference to an external entity. This can lead to unwanted disclosure of confidential data, denial of service, server side request forgery, port scanning, or other system impacts.
XXE attacks can have serious security implications, potentially allowing an attacker to read sensitive data from the server, interact with any back-end or external systems that the application can access, or carry out denial-of-service attacks.
To avoid this, disable DTDs (Document Type Definitions) completely, if your application does not require them by setting the http://apache.org/xml/features/disallow-doctype-decl feature to true. If DTDs must be enabled, enable secure processing (XMLConstants.FEATURE_SECURE_PROCESSING), limit access to external DTDs (XMLConstants.ACCESS_EXTERNAL_DTD), and disable external parameter entities (http://xml.org/sax/features/external-parameter-entities). By following these practices, you can ensure that your Kotlin code is not vulnerable to XXE attacks.