contrib.nodejsscan.xxe_sax.xxe_sax
returntocorpAuthor
99
Download Count*
License
Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.
Run Locally
Run in CI
Defintion
rules:
- id: xxe_sax
pattern-either:
- pattern: |
require('sax');
...
$PARSER.ondoctype = ...;
- pattern: |-
require('sax');
...
$PARSER.on('doctype',...);
severity: WARNING
languages:
- javascript
message: Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't
do anything with custom DTD entity definitions. If you're implementing a
custom DTD entity definition, be sure not to introduce XML External Entity
(XXE) vulnerabilities, or be absolutely sure that external entities
received from a trusted source while processing XML.
metadata:
owasp: A04:2017 - XML External Entities (XXE)
cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
category: security
technology:
- node.js
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
xxe_sax.js
function test1() {
// ruleid: xxe_sax
var sax = require("sax"),
strict = false,
parser = sax.parser(strict);
parser.onattribute = function (attr) {
doSmth(attr)
};
parser.ondoctype = function (dt) {
processDocType(dt)
}
const xml = `<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<username>&xxe;</username>`;
parser.write(xml).close();
}
function test2() {
// ruleid: xxe_sax
var saxStream = require("sax").createStream(strict, options)
saxStream.on("opentag", function (node) {
// same object as above
})
saxStream.on("doctype", function (node) {
processType(node)
})
fs.createReadStream("file.xml")
.pipe(saxStream)
.pipe(fs.createWriteStream("file-copy.xml"))
}
Short Link: https://sg.run/dK96