/
sax-xxe.yaml
40 lines (40 loc) · 1.1 KB
/
sax-xxe.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
rules:
- id: sax-xxe
message: >-
Use of 'ondoctype' in 'sax' library detected. By default, 'sax'
won't do anything with custom DTD entity definitions. If you're
implementing a custom DTD entity definition, be sure not to introduce
XML External Entity (XXE) vulnerabilities, or be absolutely sure that
external entities received from a trusted source while processing XML.
metadata:
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
cwe:
- 'CWE-611: Improper Restriction of XML External Entity Reference'
references:
- https://github.com/Leonidas-from-XIV/node-xml2js/issues/415
- https://github.com/isaacs/sax-js
category: security
technology:
- sax
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
languages:
- javascript
- typescript
severity: WARNING
pattern-either:
- pattern: |
require('sax');
...
$PARSER.ondoctype = ...;
- pattern: |-
require('sax');
...
$PARSER.on('doctype',...);