From 0dabe8af9ef69bca3d9980f251d141f66d3fbaea Mon Sep 17 00:00:00 2001
From: Jason Stephenson <jason@sigio.com>
Date: Thu, 3 Nov 2016 10:12:19 -0400
Subject: [PATCH] Check for external XML entities in NCIP.pm.

Add an external entity handler to DOM creation in the main NCIP
module's handle_initiation function.  This handler dies and the error
processing catches that error, logs that a possible XXE attack was
detected and then returns undef.

Signed-off-by: Jason Stephenson <jason@sigio.com>
---
 lib/NCIP.pm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/NCIP.pm b/lib/NCIP.pm
index bc61682..7d6bfad 100644
--- a/lib/NCIP.pm
+++ b/lib/NCIP.pm
@@ -103,9 +103,14 @@ sub handle_initiation {
     my $dom;
     my $log = Log::Log4perl->get_logger("NCIP");
 
-    eval { $dom = XML::LibXML->load_xml( string => $xml ); };
+    eval { $dom = XML::LibXML->load_xml( string => $xml, ext_ent_handler => sub { die('XXE'); } ); };
     if ($@) {
+        if ($@ eq 'XXE') {
+            $log->warn('Possible XML External Entity Attack...Bailing out');
+            return;
+        }
         $log->info("Invalid xml we can not parse it ");
+
     }
     if ($dom) {
 
-- 
2.43.2