javascript.node-expat.security.audit.expat-xxe.expat-xxe

Community Favorite
profile photo of semgrepsemgrep
Author
26,500
Download Count*
LGPL Commons Clause
License

If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: expat-xxe
    message: If unverified user data can reach the XML Parser it can result in XML
      External or Internal Entity (XXE) Processing vulnerabilities
    metadata:
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      category: security
      technology:
        - node-expat
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      references:
        - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern: |
              var $EXPAT = require('node-expat');
              ...
              new $EXPAT.Parser(...);
              ...
              $PARSER.parse(...);
          - pattern: |
              var $EXPAT = require('node-expat');
              ...
              new $EXPAT.Parser(...);
              ...
              $PARSER.write(...);
          - pattern: |
              require('node-expat');
              ...
              new Parser(...);
              ...
              $PARSER.parse(...);
          - pattern: |
              require('node-expat');
              ...
              new Parser(...);
              ...
              $PARSER.write(...);
      - pattern-not: |
          var $EXPAT = require('node-expat');
          ...
          new $EXPAT.Parser(...);
          ...
          $PARSER.parse("...");
      - pattern-not: |
          var $EXPAT = require('node-expat');
          ...
          new $EXPAT.Parser(...);
          ...
          $PARSER.write("...");
      - pattern-not: |
          require('node-expat');
          ...
          new Parser(...);
          ...
          $PARSER.parse("...");
      - pattern-not: |
          require('node-expat');
          ...
          new Parser(...);
          ...
          $PARSER.write("...");
      - pattern-not: |
          $X = "...";
          ...
          $PARSER.parse($X);
      - pattern-not: |-
          $X = "...";
          ...
          $PARSER.write($X);

Examples

expat-xxe.js

function test1(input) {
    // ruleid: expat-xxe
    var expat = require('node-expat')
    var parser = new expat.Parser('UTF-8')
    parser.parse(input)
}

function test2(input) {
    // ruleid: expat-xxe
    const {Parser} = require('node-expat')
    const parser = new Parser('UTF-8')
    parser.write(input)
}

function okTest3() {
    // ok: expat-xxe
    var expat = require('node-expat')
    var parser = new expat.Parser('UTF-8')
    parser.parse("safe input")
}

function okTest4() {
    // ok: expat-xxe
    const {Parser} = require('node-expat')
    const parser = new Parser('UTF-8')
    const x = "safe input"
    parser.write(x)
}

function okTest5(input) {
    // ok: expat-xxe
    const {Parser} = require('some-other-module')
    const parser = new Parser('UTF-8')
    parser.write(input)
}