contrib.nodejsscan.xml_entity_expansion_dos.node_entity_expansion
returntocorpAuthor
99
Download Count*
License
User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.
Run Locally
Run in CI
Defintion
rules:
- id: node_entity_expansion
patterns:
- pattern-either:
- pattern-inside: function ($REQ, $RES, ...) {...}
- pattern-inside: function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
- pattern-either:
- pattern: |
$PARSER = new expat.Parser();
...
$PARSER.write(..., <... $REQ.$QUERY ...>, ...);
- pattern: |
$PARSER = new expat.Parser();
...
$PARSER.write(..., <... $REQ.$QUERY.$FOO ...>, ...);
- pattern: |
$PARSER = new expat.Parser();
...
$PARSER.write(..., <... $REQ.$QUERY.$FOO.$FILE ...>, ...);
message: User controlled data in XML Parsers can result in XML Internal Entity
Processing vulnerabilities like in DoS.
languages:
- javascript
severity: ERROR
metadata:
owasp: A04:2017 - XML External Entities (XXE)
cwe: "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML
Entity Expansion')"
category: security
technology:
- node.js
- express
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Short Link: https://sg.run/ydw7