Xml External Entities in Actix with Cockroachdb

An XML External Entity (XXE) injection occurs when an XML parser processes external entity references within untrusted XML data. In an Actix web service that accepts XML payloads and interacts with Cockroachdb, this becomes particularly dangerous because the database connection string, credentials, or schema may be exposed through malicious entity expansion or remote requests. If the application parses XML without disabling external entity resolution, an attacker can craft payloads that cause the parser to read local files, trigger SSRF to internal Cockroachdb endpoints, or leak connection details that lead to unauthorized database access.

Consider an Actix endpoint that receives an XML document containing a DTD with external entity definitions pointing to internal services or to a Cockroachdb connection string stored in a mounted volume. When the XML is parsed, the external entity is fetched, and its content is returned to the application. This content can then be used in a database query, inadvertently exposing sensitive information or allowing an attacker to probe internal network paths that lead to Cockroachdb. Even in black-box scanning, middleBrick detects unsafe XML handling and highlights risks related to data exposure and SSRF that are amplified when Cockroachdb is involved.

The risk is elevated when the Actix service uses an OpenAPI specification that describes XML payloads but does not enforce strict entity limits or secure parser settings. middleBrick’s OpenAPI/Swagger analysis resolves all $ref definitions and cross-references runtime behavior, ensuring that XML input vectors tied to database interactions are surfaced. Findings include insecure XML processing and potential data exposure, with remediation guidance to disable external entities and validate input against a strict schema before any Cockroachdb interaction.

To secure Actix endpoints that interact with Cockroachdb, ensure XML parsing is hardened to prevent external entity processing. Use a secure XML parser configuration that disables DTDs and external entities. Below are concrete Rust code examples for an Actix web service that safely handles XML input and interacts with Cockroachdb using a parameterized, non-XML-sensitive approach.

use actix_web::{post, web, HttpResponse, Responder};
use roachdb_client::Client; // hypothetical Cockroachdb client
use serde::Deserialize;
use quick_xml::Reader; // safe, non-allocating XML reader
use std::io::Cursor;

// DTO for structured data — avoid raw XML for database operations
#[derive(Deserialize)]
struct UserInput {
    username: String,
    email: String,
}

// Secure handler: parse JSON or form data, not untrusted XML with DTDs
#[post("/user")]
async fn create_user(
    payload: web::Json,
    db: web::Data,
) -> impl Responder {
    let user = payload.into_inner();
    // Use parameterized queries to avoid injection and avoid XML parsing entirely
    let query = "INSERT INTO users (username, email) VALUES ($1, $2)";
    match db.query(query, &[&user.username, &user.email]).await {
        Ok(_) => HttpResponse::Ok().body("User created"),
        Err(e) => HttpResponse::InternalServerError().body(format!("DB error: {}", e)),
    }
}

// If XML intake is strictly required, use quick_xml with expansion disabled
#[post("/xml-safe")]
async fn safe_xml_intake(
    body: String,
    db: web::Data,
) -> impl Responder {
    let mut reader = Reader::from_reader(Cursor::new(body));
    reader.trim_text(true);
    // Configure parser to not process external entities
    let mut buf = Vec::new();
    loop {
        match reader.read_event(&mut buf) {
            Ok(quick_xml::events::Event::Eof) => break,
            Ok(_) => { /* handle elements safely */ }
            Err(e) => return HttpResponse::BadRequest().body(format!("Invalid XML: {}", e)),
        }
        buf.clear();
    }
    // Proceed with validated data, using Cockroachdb client as above
    HttpResponse::Ok().body("XML processed safely")
}

Key remediation steps include:

• Disable DTD and external entity resolution in any XML parser used by Actix.
• Prefer JSON or strongly typed forms over XML for database interactions with Cockroachdb.
• Use parameterized SQL queries to prevent injection regardless of input source.
• Validate and sanitize all input before constructing queries, ensuring that no attacker-controlled data is interpreted as code or entity references.

middleBrick’s checks for XML External Entities and SSRF will flag endpoints that process untrusted XML without these safeguards, providing specific remediation guidance aligned with secure coding practices for Actix and Cockroachdb integrations.