Xml External Entities in Gorilla Mux with Dynamodb

XML External Entity (XXE) injection occurs when an application processes XML input that references external entities, allowing an attacker to force the parser to disclose local files, trigger SSRF, or consume resources. Gorilla Mux is a popular HTTP request router for Go that often hosts HTTP APIs which may accept XML payloads. When such an API interacts with AWS DynamoDB—either to store, retrieve, or log data—misconfigured XML handling can expose sensitive data or create unintended network calls.

In practice, an API endpoint built with Gorilla Mux might unmarshal an XML body into a Go struct and then use the AWS SDK to write items to a DynamoDB table. If the XML parser is not explicitly hardened (for example, by disabling external entity processing), an attacker can provide a malicious XML payload that defines entities referencing local files or internal AWS metadata. Because DynamoDB operations often include detailed request and response logging, injected entity expansions can leak through logs or error messages, revealing IAM credentials, instance metadata, or other sensitive configuration stored in the environment.

The combination of Gorilla Mux routing, XML parsing, and DynamoDB usage amplifies the risk because the API surface includes input validation gaps and rich error reporting. Attackers may probe endpoints to identify those that parse XML and invoke DynamoDB operations, then exploit XXE to perform SSRF against internal AWS metadata endpoints or access files mounted in the container. Even if the DynamoDB client does not directly process XML, the server-side logging or instrumentation layers might inadvertently include expanded entity content, turning a seemingly safe NoSQL interaction into an information disclosure vector.

For example, an endpoint defined with Gorilla Mux might expect JSON but be configured to also accept XML for legacy clients. If the XML parser is not configured to disable external DTDs, an attacker can supply a payload that references file:///etc/passwd or an internal AWS metadata URL. The resulting data may then be passed to DynamoDB batch operations or used to build condition expressions, exposing the expanded content in application or CloudWatch logs. This scenario highlights how XXE in Gorilla Mux, combined with DynamoDB interactions, can bypass expected security boundaries without directly targeting the database client.

Remediation focuses on disabling XML external entity processing at the parser level and validating inputs before they reach DynamoDB operations. For Go applications using Gorilla Mux, ensure XML unmarshaling is performed with secure parser settings. When using the standard library’s encoding/xml, avoid enabling xml.Decoder with external entity resolution and do not use legacy unmarshal patterns that implicitly trust the input.

Below is a secure example of handling XML input in a Gorilla Mux route before interacting with DynamoDB. The code explicitly disables DTD and external entity processing, uses strict struct tags, and validates input before constructing DynamoDB attribute values.

import (
    "encoding/xml"
    "net/http"
    "github.com/gorilla/mux"
    "github.com/aws/aws-sdk-go/aws"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/dynamodb"
    "github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
)

type SafePayload struct {
    UserID string `xml:"user_id" json:"user_id"`
    Email  string `xml:"email" json:"email"`
}

func secureHandler(w http.ResponseWriter, r *http.Request) {
    decoder := xml.NewDecoder(r.Body)
    decoder.CharsetReader = func(charset string, input io.Reader) (io.Reader, error) {
        return input, nil
    }
    var payload SafePayload
    if err := decoder.Decode(&payload); err != nil {
        http.Error(w, "invalid input", http.StatusBadRequest)
        return
    }

    sess := session.Must(session.NewSession())
    svc := dynamodb.New(sess)

    item, err := dynamodbattribute.MarshalMap(SafePayload{
        UserID: payload.UserID,
        Email:  payload.Email,
    })
    if err != nil {
        http.Error(w, "failed to marshal item", http.StatusInternalServerError)
        return
    }

    input := &dynamodb.PutItemInput{
        TableName: aws.String("SecureTable"),
        Item:      item,
    }
    _, err = svc.PutItem(input)
    if err != nil {
        http.Error(w, "failed to store item", http.StatusInternalServerError)
        return
    }

    w.WriteHeader(http.StatusOK)
}

In addition to secure parsing, apply the following practices: disable external DTDs and entity expansion at the XML parser level, avoid passing raw XML content to DynamoDB condition expressions or attribute values, and sanitize any user-controlled strings that may be logged. When using the AWS SDK for Go, ensure that request and response logging does not inadvertently include expanded entity data. For environments where XML support is unnecessary, consider removing XML parsing capabilities entirely from the Gorilla Mux routes to reduce the attack surface.

Finally, integrate middleBrick into your workflow to detect such issues automatically. Use the CLI with middlebrick scan <url> to perform black-box scans, add the GitHub Action to fail builds if security scores drop, or run scans via the MCP Server from your AI coding assistant. These features help identify XML handling risks and other misconfigurations early, without requiring internal architecture details.