Objects that parse or handle XML data can lead to XML external entity (XXE) attacks when they are not configured properly. Improper restriction of XML external entity processing can lead to server-side request forgery and information disclosure.
1import libxmljs from "libxmljs"
2import fs from 'fs'
3
4function xmlExternalEntityNoncompliant() {
5 const xml = fs.readFileSync("foo.xml")
6 // Noncompliant: sets `noent` to true which enables the parsing of external entities.
7 const xmlDoc = libxmljs.parseXml(xml, { noent: true, noblanks: true })
8}
1import libxmljs from "libxmljs"
2import fs from 'fs'
3
4function xmlExternalEntityCompliant() {
5 const xml = fs.readFileSync("foo.xml")
6 // Compliant: parsing of external entities is disabled by default.
7 const xmlDoc = libxmljs.parseXml(xml, { noblanks: true })
8}