Regex Injection Via Doctype Entities

[ankitdn]

Describe the bug
While scanning my React Native application's manifest file using Vulert for vulnerability checks, I identified an issue associated with your package.

Reference
Upon conducting a vulnerability scan, the following references were identified:
Vulert Scan Report: Vulert Report
CVE Reference: CVE-2023-34104

[github-actions]

We're glad you find this project helpful. We'll try to address this issue ASAP. You can vist https://solothought.com to know recent features. Don't forget to star this repo.

[amitguptagwl]

Please upgrade to the latest version and confirm.

[ankitdn]

Thank you! Working with latest version.

[levpachmanov]

Hi @amitguptagwl ,
I believe the affected versions listed in the advisory are incorrect. Can you please update it to affect 4.1.3 and above?

Up until version 4.1.2, the entity name is parsed using RegExp("^\\s([a-zA-z0-0]+)[ \t](['\"])([^&]+)\\2"); - see https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.1.2/src/xmlparser/DocTypeReader.js#L108C35-L108C45
In this implementation, the entity name regex is constructed as follows RegExp( `&${match[1]};`,"g"),. Since match[1] is [a-zA-z0-0]+. It is not possible to construct a vulnerable regular expression.
Starting 4.1.3, the implementation changes to the following vulnerable implementation - https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.1.3/src/xmlparser/DocTypeReader.js#L62 .

Notice that the global advisory was already updated.