ajinabraham.njsscan.xml.xxe_sax.xxe_sax

profile photo of ajinabrahamajinabraham
Author
unknown
Download Count*
License

Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.

Run Locally

Run in CI

Defintion

rules:
  - id: xxe_sax
    pattern-either:
      - pattern: |
          require('sax')
          ...
          $PARSER.ondoctype = ...;
      - pattern: |-
          require('sax')
          ...
          $PARSER.on('doctype',...)
    severity: WARNING
    languages:
      - javascript
    message: Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't
      do anything with custom DTD entity definitions. If you're implementing a
      custom DTD entity definition, be sure not to introduce XML External Entity
      (XXE) vulnerabilities, or be absolutely sure that external entities
      received from a trusted source while processing XML.
    metadata:
      owasp-web: a4
      cwe: cwe-611
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other