ajinabraham.njsscan.xxe_xml2json.xxe_xml2json
ajinabrahamAuthor
1,129
Download Count*
License
Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
Run Locally
Run in CI
Defintion
rules:
- id: xxe_xml2json
patterns:
- pattern-inside: |
require('xml2json')
...
- pattern-either:
- pattern-inside: function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
- pattern-either:
- pattern: $EXPAT.toJson(<... $REQ.$QUERY.$FOO ...>,...)
- pattern: $EXPAT.toJson(<... $REQ.$BODY ...>,...)
- pattern: |
$INPUT = <... $REQ.$QUERY.$FOO ...>;
...
$EXPAT.toJson(<... $INPUT ...>,...)
- pattern: |
$INPUT = <... $REQ.$BODY ...>;
...
$EXPAT.toJson(<... $INPUT ...>,...)
message: Make sure that unverified user data can not reach the XML Parser, as it
can result in XML External or Internal Entity (XXE) Processing
vulnerabilities.
metadata:
owasp-web: a4
cwe: cwe-611
license: LGPL-3.0-or-later
severity: ERROR
languages:
- javascript
Short Link: https://sg.run/jRpy