Xml External Entities in Actix with Mongodb
Xml External Entities in Actix with Mongodb — how this specific combination creates or exposes the vulnerability
Xml External Entity (XXE) injection occurs when an application processes XML input that references external entities, and those entities are resolved in a way that discloses files, triggers remote requests, or consumes excessive resources. In Actix applications that accept XML payloads and interact with Mongodb, the combination can expose both data exfiltration and server-side request forgery (SSRF) paths if user-controlled XML is deserialized and passed to backend services.
Consider an endpoint in Actix that receives an XML document containing entity declarations and external system identifiers. If the XML parser resolves DOCTYPE and entity references, an attacker can define an external entity pointing to a local file such as /etc/passwd or to a backend Mongodb service connection string. When the application forwards the parsed data to Mongodb, the resolved entity content may be embedded into queries or used as part of a connection string, unintentionally exposing sensitive configuration or enabling SSRF against internal services. For example, an external entity like file:///etc/passwd can be injected into XML and later reflected in logs, error messages, or stored data in Mongodb, depending on how the application uses the parsed values.
Actix does not inherently introduce XXE; the risk arises from the XML parsing library and how the parsed data is forwarded to Mongodb. If the application builds Mongodb queries by concatenating XML-derived values without validation, an attacker can manipulate entity expansion to probe internal endpoints or exfiltrate data. In some configurations, external entities can trigger network requests to attacker-controlled servers, revealing that the backend resolves references, which can be chained with SSRF to reach internal Mongodb ports that are otherwise not exposed publicly. Therefore, the vulnerability in this stack is not about a specific CVE targeting Actix or Mongodb together, but about insecure XML processing combined with unsafe usage of parsed data in database interactions.
An example scenario: an Actix route accepts an XML upload, parses it with a vulnerable XML parser that resolves DOCTYPE, and uses values from the XML to construct a Mongodb filter. An attacker can supply an external entity referencing http://internal-metadata/iam/roles, and if the application trusts the resolved content, the effective query may include sensitive metadata. Even without direct code execution, this can lead to sensitive data exposure or unauthorized information disclosure through error handling or logging.
Mongodb-Specific Remediation in Actix — concrete code fixes
To secure Actix applications that interact with Mongodb, you must prevent XML entity resolution and validate all data before it reaches the database. The most effective remediation is to avoid parsing untrusted XML entirely. If XML support is required, use a parser configured to disable external entity resolution and DOCTYPE processing. For JSON-based workflows, prefer strict deserializers that do not expand entities.
When you must handle XML, configure your XML parser to disable external entities. For example, using the xml-rs crate, you can disable expansion by not setting up external entity resolvers and by using a non-validating reader. Below is a Rust example for Actix that shows safe handling of incoming data without external entity resolution:
use actix_web::{web, HttpResponse, Result};
use serde_json::json;
use mongodb::{Client, options::ClientOptions};
async fn safe_api(
body: String,
) -> Result {
// Reject or sanitize XML-like structures if not required.
if body.contains("<!DOCTYPE") || body.contains("<?xml") {
return Ok(HttpResponse::bad_request().body("XML input not allowed"));
}
// Parse only expected JSON input.
let parsed: serde_json::Value = serde_json::from_str(&body)
.map_err(|e| actix_web::error::ErrorBadRequest(e.to_string()))?;
// Safely use parsed values with Mongodb.
let client_options = ClientOptions::parse("mongodb://localhost:27017").await?;
let client = Client::with_options(client_options)?;
let collection = client.database("testdb").collection("testcoll");
// Use strongly-typed structures rather than raw concatenation.
let doc = mongodb::bson::doc! {
"username": parsed["username"].as_str().unwrap_or(""),
"email": parsed["email"].as_str().unwrap_or(""),
};
collection.insert_one(doc, None).await?;
Ok(HttpResponse::ok().finish())
} If you must accept XML, use a safe parser and explicitly disable external entities. For example, with the roxmltree crate, which does not resolve external entities by design, you avoid the risk of XXE. Additionally, always validate and sanitize any data extracted from XML or JSON before using it in Mongodb queries. Avoid string concatenation to build filters; instead, use typed documents and parameterized operations.
Apply the principle of least privilege to the Mongodb connection used by Actix. Ensure the database user has only the necessary permissions and cannot read sensitive collections unless required. Combine this with network-level restrictions so that Mongodb is not exposed to unauthenticated or broad network access, reducing the impact of any potential data exposure through XML handling errors.
Finally, integrate middleBrick to scan your Actix endpoints for XXE and related issues. The scanner can detect unsafe XML processing patterns and flag risky data flows to Mongodb, helping you verify that remediation is effective. With the Pro plan, you can enable continuous monitoring so changes to your XML handling or database interaction are automatically assessed for security regressions.