JS-D022 · XML parsing may be vulnerable to XXE attacks

XML parsing may be vulnerable to XXE attacks JS-D022

Security

Major

a month ago — 2 years old

medium priority

a05 cwe-611 cwe-827 sans top 25 owasp top 10

Found unsafe XML parsing

 18// insecure XML parse
 19const xmlDoc = libxmljs.parseXmlString(xml, {
 20  noblanks: true,
 21  noent: true, 22  nocdata: true,
 23});
 24console.log(xmlDoc);

Description

XXE Injection is a type of attack against an application that parses XML input.

By default, many XML processors allow specification of an external entity - a URI (Uniform Resource Identifier) that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

It is recommended to disable fetching external entities whenever possible.

Possible attacks include using file: schemes or relative paths in the system identifier. This can expose local files, which may contain sensitive data such as passwords or private user data.

A system identifier is also a URI (Uniform Resource Identifier) e.g., file:///path/to/file etc.

For example, a sample XML document is given below, containing an XML element, username.

<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Bad Practice

import libxmljs from 'libxmljs'
import fs from 'fs'

const xml = fs.readFileSync('someDataFile.xml', 'utf8')
const xmlDoc = libxmljs.parseXmlString(xml, {
   noblanks: true,
   noent: true, // Noncompliant: noent set to true
   nocdata: true
})

QuackatronHQ / Gigarepo

Bad Practice

Recommended

References