How does the Android XmlPullParser handle vulnerabilities?

Question

If I'm using an XmlPullParser in my application is it possible for it to be exposed to vulnerabilities such as "billion laughs"?

What security procedures should be taken when using the XmlPullParser?

Answer 1

By default, the XMlPullParser will not parse entities, so you will not be exposed to such vulnerabilities. But, you will have to deal with exceptions launched when trying to parse undeclared entities. To keep this behavior, you have to ensure that XMlPullParser.FEATURE_PROCESS_DOCDECL is set to false prior any document parsing.

It is also recommended to not validate your XML with DTD coming from unknown source. The best approach for this is to use an embedded DTD in your application and use it to validate the XML.

You can find more on XML Extenal Entities following these links:

• XXE Processing from OWASP
• XXE Prevention Cheat Sheet from OWASP