Unsanitized user input in XML parsing method

Overview

• Rule ID: javascript_express_xml_external_entity_vulnerability

• Applicable Languages: Javascript

• Weakness ID: CWE-611

Description

Unsanitized user input in XML parsing can lead to XML External Entity (XXE) injection. This vulnerability occurs when XML input containing a reference to an external entity is processed by an XML parser. The external entity can reference a file URI or network resource, potentially allowing an attacker to access sensitive data or interact with internal systems.

Remediation Guidelines

• Do not parse XML input containing untrusted data without proper sanitization. External entities within the XML should be treated with caution.

  Copy

  var libxml = require("libxmljs");
  libxml.parseXmlString(xml, { noent: false, noblanks: true });
  
  

• Do not enable the parsing of external entities in XML parsers. Ensure the noent option is set to false to prevent XXE attacks.

References

• OWASP XML External Entity (XXE) prevention cheat sheet

• CWE-611: Improper Restriction of XML External Entity Reference

• OWASP Top 10: A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL