contrib.nodejsscan.xxe_xml2json.xxe_xml2json

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: xxe_xml2json
    patterns:
      - pattern-inside: |
          require('xml2json');
          ...
      - pattern-either:
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: $EXPAT.toJson(<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: $EXPAT.toJson(<... $REQ.$BODY ...>,...)
          - pattern: |
              $INPUT = <... $REQ.$QUERY.$FOO ...>;
              ...
              $EXPAT.toJson(<... $INPUT ...>,...);
          - pattern: |
              $INPUT = <... $REQ.$BODY ...>;
              ...
              $EXPAT.toJson(<... $INPUT ...>,...);
    message: Make sure that unverified user data can not reach the XML Parser, as it
      can result in XML External or Internal Entity (XXE) Processing
      vulnerabilities.
    metadata:
      owasp: A04:2017 - XML External Entities (XXE)
      cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: ERROR
    languages:
      - javascript

Examples

xxe_xml2json.js

function test1() {
    const express = require('express')
    const xml2json = require('xml2json')
    const app = express()
    const port = 3000

    app.get('/', (req, res) => {
        // ruleid: xxe_xml2json
        const xml = req.query.xml
        const content = xml2json.toJson(xml, { coerce: true, object: true });
    })

    app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))
}

function test2() {
    const express = require('express')
    const xml2json = require('xml2json')
    const app = express()
    const port = 3000

    app.get('/', (req, res) => {
        // ruleid: xxe_xml2json
        const content = xml2json.toJson(req.body, { coerce: true, object: true });
    })

    app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))
}