Xml External Entities in Gin with Mongodb

An XML External Entity (XXE) vulnerability occurs when an application processes XML input that references external entities, allowing an attacker to disclose local files, perform SSRF, or consume resources. In a Gin-based Go service that interacts with MongoDB, the risk arises when XML payloads are parsed and the resulting data is used to construct MongoDB queries without proper validation or sanitization.

Gin does not parse XML by default; developers must explicitly integrate an XML parser such as encoding/xml or a third-party library. If XML input is accepted—for example, via an HTTP POST body—and unmarshaled into Go structures, malicious entity definitions can be injected. Consider an endpoint that receives XML user profiles and stores them in MongoDB:

// Gin route handling XML input
func createUser(c *gin.Context) {
    var user User
    if err := c.BindXML(&user); err != nil {
        c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
        return
    }
    collection := client.Database("test").Collection("users")
    ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
    defer cancel()
    _, err := collection.InsertOne(ctx, user)
    if err != nil {
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
        return
    }
    c.JSON(http.StatusCreated, gin.H{"status": "created"})
}

If the User struct or an intermediate XML unmarshaling step inadvertently includes fields that reference external entities (e.g., via a custom XML decoder configured to resolve entities), an attacker can supply an XML body that reads /etc/passwd or triggers SSRF against internal MongoDB metadata endpoints. Even when using strict struct binding, a supplemental XML parser stage elsewhere in the codebase—such as legacy configuration ingestion or document processing—can expose the attack surface.

With MongoDB, the impact is compounded if the parsed XML data is later used to build queries. For example, if attacker-controlled XML fields are concatenated into a raw JSON/JavaScript query string and evaluated, it may enable NoSQL injection or provide indirect paths for data exfiltration. XXE can also expose internal network topology when external entities point to MongoDB connection strings or metadata services, especially in environments where DNS rebinding or SSRF is feasible.

To mitigate in Gin, avoid XML parsing for untrusted data. If XML is required, use a secure parser that disables external entity resolution and DTDs. Validate and sanitize all extracted fields before using them in MongoDB operations, and prefer strongly typed struct binding with c.ShouldBindJSON for JSON payloads. Apply principle of least privilege to MongoDB connections and enforce network segmentation to reduce the blast radius of any successful injection.

Securing Gin handlers that interact with MongoDB starts with input validation and avoiding unsafe XML processing. Replace XML binding with JSON binding wherever possible, and ensure any XML usage is restricted to trusted sources with external entity resolution disabled.

1. Use JSON binding instead of XML

For new endpoints, prefer JSON and leverage Gin’s built-in binding, which does not carry XXE risk:

// Safe JSON binding in Gin
type User struct {
    Name  string `json:"name" validate:"required,max=100"`
    Email string `json:"email" validate:"required,email"`
}

func createUserJSON(c *gin.Context) {
    var user User
    if err := c.ShouldBindJSON(&user); err != nil {
        c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
        return
    }
    // Validate with a library like go-playground/validator if needed
    collection := client.Database("test").Collection("users")
    ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
    defer cancel()
    result, err := collection.InsertOne(ctx, user)
    if err != nil {
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
        return
    }
    c.JSON(http.StatusCreated, gin.H{"id": result.InsertedID})
}

2. If XML is unavoidable, disable external entities

When XML processing is required, use a parser that disables DTD and external entity resolution. In Go, this typically involves using xml.NewDecoder with a custom tokenizer or a hardened third-party library. Never use encoding/xml with default settings on untrusted input that may include entity declarations:

// Example: secure XML decoding with entity restriction
func parseSafeXML(data []byte) (User, error) {
    var user User
    decoder := xml.NewDecoder(bytes.NewReader(data))
    decoder.Entity = xml.HTMLEntity
    decoder.Strict = false
    for {
        tok, err := decoder.Token()
        if err == io.EOF {
            break
        }
        if err != nil {
            return user, err
        }
        // Only process expected tokens and ignore external entity references
        if se, ok := tok.(xml.StartElement); ok {
            if se.Name.Local == "user" {
                if err := decoder.DecodeElement(&user, &se); err != nil {
                    return user, err
                }
            }
        }
    }
    return user, nil
}

3. Validate and sanitize before MongoDB queries

Always validate and sanitize data before using it in MongoDB operations. Use parameterized updates and avoid concatenating raw input into query strings. For example, use bson.M with explicit fields instead of building JSON from raw XML text:

collection := client.Database("test").Collection("users")
filter := bson.M{"email": user.Email}
update := bson.M{"$set": bson.M{"name": user.Name}}
_, err := collection.UpdateOne(ctx, filter, update)
if err != nil {
    // handle error
}

4. Apply principle of least privilege and network controls

Ensure MongoDB connections from Gin services use dedicated accounts with minimal permissions and restrict network access to prevent unintended exposure of internal endpoints.