Unsanitized user input in XML parsing method

• Rule ID: javascript_express_xml_external_entity_vulnerability
• Languages: javascript
• Source: xml_external_entity_vulnerability.yml

Description

Unsanitized user input in XML parsing can lead to XML External Entity (XXE) injection. This vulnerability occurs when XML input containing a reference to an external entity is processed by an XML parser. The external entity can point to a file URI or network resource, potentially allowing an attacker to access sensitive data or interact with internal systems.

Remediations

• Do not parse XML input containing untrusted data without proper sanitization. External entities within the XML should be treated with caution.

  var libxml = require("libxmljs");
  libxml.parseXmlString(xml, { noent: false, noblanks: true });

• Do not enable the parsing of external entities in XML parsers. For instance, when using LibXML, ensure the noent option is set to false to prevent XXE attacks.

References

• OWASP XML External Entity (XXE) prevention cheat sheet

Associated CWE

• CWE-611: Improper Restriction of XML External Entity Reference

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_xml_external_entity_vulnerability

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_xml_external_entity_vulnerability