ajinabraham.njsscan.xxe_sax.xxe_sax

ajinabraham

Author

1,129

Download Count*

License

Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: xxe_sax
    pattern-either:
      - pattern: |
          require('sax')
          ...
          $PARSER.ondoctype = ...;
      - pattern: |-
          require('sax')
          ...
          $PARSER.on('doctype',...)
    severity: WARNING
    languages:
      - javascript
    message: Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't
      do anything with custom DTD entity definitions. If you're implementing a
      custom DTD entity definition, be sure not to introduce XML External Entity
      (XXE) vulnerabilities, or be absolutely sure that external entities
      received from a trusted source while processing XML.
    metadata:
      owasp-web: a4
      cwe: cwe-611
      license: LGPL-3.0-or-later

Short Link: https://sg.run/XB4q