javascript.node-expat.security.audit.expat-xxe.expat-xxe
Community Favorite
semgrep
Author
26,500
Download Count*
License
If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
Run Locally
Run in CI
Defintion
rules:
- id: expat-xxe
message: If unverified user data can reach the XML Parser it can result in XML
External or Internal Entity (XXE) Processing vulnerabilities
metadata:
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
category: security
technology:
- node-expat
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-either:
- pattern: |
var $EXPAT = require('node-expat');
...
new $EXPAT.Parser(...);
...
$PARSER.parse(...);
- pattern: |
var $EXPAT = require('node-expat');
...
new $EXPAT.Parser(...);
...
$PARSER.write(...);
- pattern: |
require('node-expat');
...
new Parser(...);
...
$PARSER.parse(...);
- pattern: |
require('node-expat');
...
new Parser(...);
...
$PARSER.write(...);
- pattern-not: |
var $EXPAT = require('node-expat');
...
new $EXPAT.Parser(...);
...
$PARSER.parse("...");
- pattern-not: |
var $EXPAT = require('node-expat');
...
new $EXPAT.Parser(...);
...
$PARSER.write("...");
- pattern-not: |
require('node-expat');
...
new Parser(...);
...
$PARSER.parse("...");
- pattern-not: |
require('node-expat');
...
new Parser(...);
...
$PARSER.write("...");
- pattern-not: |
$X = "...";
...
$PARSER.parse($X);
- pattern-not: |-
$X = "...";
...
$PARSER.write($X);
Examples
expat-xxe.js
function test1(input) {
// ruleid: expat-xxe
var expat = require('node-expat')
var parser = new expat.Parser('UTF-8')
parser.parse(input)
}
function test2(input) {
// ruleid: expat-xxe
const {Parser} = require('node-expat')
const parser = new Parser('UTF-8')
parser.write(input)
}
function okTest3() {
// ok: expat-xxe
var expat = require('node-expat')
var parser = new expat.Parser('UTF-8')
parser.parse("safe input")
}
function okTest4() {
// ok: expat-xxe
const {Parser} = require('node-expat')
const parser = new Parser('UTF-8')
const x = "safe input"
parser.write(x)
}
function okTest5(input) {
// ok: expat-xxe
const {Parser} = require('some-other-module')
const parser = new Parser('UTF-8')
parser.write(input)
}
Short Link: https://sg.run/eLdL