XML external entity High

Objects that parse or handle XML data can lead to XML external entity (XXE) attacks when they are not configured properly. Improper restriction of XML external entity processing can lead to server-side request forgery and information disclosure.

Detector ID
typescript/xml-external-entity@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1import libxmljs from "libxmljs"
2import fs from 'fs'
3
4function xmlExternalEntityNoncompliant() {
5    const xml = fs.readFileSync("foo.xml")
6    // Noncompliant: sets `noent` to true which enables the parsing of external entities.
7    const xmlDoc = libxmljs.parseXml(xml, { noent: true, noblanks: true })
8}

Compliant example

1import libxmljs from "libxmljs"
2import fs from 'fs'
3
4function xmlExternalEntityCompliant() {
5    const xml = fs.readFileSync("foo.xml")
6    // Compliant: parsing of external entities is disabled by default.
7    const xmlDoc = libxmljs.parseXml(xml, { noblanks: true })
8}