contrib.nodejsscan.xxe_expat.xxe_expat

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: xxe_expat
    patterns:
      - pattern-inside: |
          require('node-expat');
          ...
      - pattern-either:
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern-inside: |
              $PARSER = new $EXPAT.Parser(...);
              ...
          - pattern-inside: |
              $PARSER = new Parser(...);
              ...
      - pattern-either:
          - pattern: $PARSER.parse(<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: $PARSER.parse(<... $REQ.$BODY ...>,...)
          - pattern: |
              $INPUT = <... $REQ.$QUERY.$FOO ...>;
              ...
              $PARSER.parse(<... $INPUT ...>,...);
          - pattern: |
              $INPUT = <... $REQ.$BODY ...>;
              ...
              $PARSER.parse(<... $INPUT ...>,...);
          - pattern: $PARSER.write(<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: $PARSER.write(<... $REQ.$BODY ...>,...)
          - pattern: |
              $INPUT = <... $REQ.$QUERY.$FOO ...>;
              ...
              $PARSER.write(<... $INPUT ...>,...);
          - pattern: |-
              $INPUT = <... $REQ.$BODY ...>;
              ...
              $PARSER.write(<... $INPUT ...>,...);
    message: Make sure that unverified user data can not reach the XML Parser, as it
      can result in XML External or Internal Entity (XXE) Processing
      vulnerabilities.
    metadata:
      owasp: A04:2017 - XML External Entities (XXE)
      cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: ERROR
    languages:
      - javascript

Examples

xxe_expat.js

const express = require('express')
const app = express()
const port = 3000
const expat = require('node-expat');

app.get('/test', async (req, res) => {
    var parser = new expat.Parser('UTF-8')
    // ruleid: xxe_expat
    parser.parse(req.body)
    res.send('Hello World!')
})

app.get('/test1', async (req, res) => {
    var parser = new expat.Parser('UTF-8')
    // ruleid: xxe_expat
    parser.write(req.query.value)
    res.send('Hello World!')
})

app.get('/test2', async (req, res) => {
    var parser = new expat.Parser('UTF-8')
    // ruleid: xxe_expat
    var data = req.body.foo
    parser.write(data)
    res.send('Hello World!')
})

app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))