@@ -99,5 +99,47 @@ describe('Validation.XmlValidator', () => {
9999 const validationError = await validator . validate ( input )
100100 assert . strictEqual ( validationError , null )
101101 } )
102+
103+ it ( 'is not vulnerable to advisories/GHSA-mjr4-7xg5-pfvh' , async ( ) => {
104+ /* report:
105+ see https://github.com/advisories/GHSA-mjr4-7xg5-pfvh
106+ see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
107+ */
108+ const validator = new XmlValidator ( version )
109+ /* POC payload:
110+ see https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/#poc
111+ */
112+ const input = `<?xml version="1.0" encoding="UTF-8"?>
113+ <!DOCTYPE note
114+ [
115+ <!ENTITY writer "` + 'A' . repeat ( 0x1234 ) + `">
116+ ]>
117+ <from>&writer;</from>
118+ ` ;
119+ const validationError = await validator . validate ( input )
120+ // expected to not crash ...
121+ assert . strictEqual ( validationError , null )
122+ } )
123+
124+ it ( 'is not vulnerable to advisories/GHSA-78h3-pg4x-j8cv' , async ( ) => {
125+ /* report:
126+ see https://github.com/advisories/GHSA-78h3-pg4x-j8cv
127+ see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
128+ */
129+ const validator = new XmlValidator ( version )
130+ /* POC payload:
131+ see https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/#poc
132+ */
133+ const input = `<?xml version="1.0" encoding="UTF-8"?>
134+ <!DOCTYPE note
135+ [
136+ <!ENTITY writer PUBLIC "` + "A" . repeat ( 8 ) + "B" . repeat ( 8 ) + "C" . repeat ( 8 ) + "D" . repeat ( 8 ) + "P" . repeat ( 8 ) + `" "JFrog Security">
137+ ]>
138+ <from>&writer;</from>
139+ ` ;
140+ const validationError = await validator . validate ( input )
141+ // expected to not crash ...
142+ assert . strictEqual ( validationError , null )
143+ } )
102144 } ) )
103145} )
0 commit comments