fix: revert to v6.6.1

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -6,8 +6,14 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+## 6.7.1 -- 2024-05-07
+
+Reverted v6.7.0, back to v6.6.1
+
 ## 6.7.0 -- 2024-05-07
 
+!! THIS VERSION GOT YANKED !!
+
 * Changed
   * The provided XML validation capabilities no longer supports external entities (via [#1063]; concerns [#1061])  
     This is considered a security measure to prevent XML external entity (XXE) injection.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "6.7.0",
+  "version": "6.6.1",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [

src/validation/xmlValidator.node.ts

@@ -48,8 +48,7 @@ async function getParser (): Promise<typeof parseXml> {
 
 const xmlParseOptions: Readonly<ParserOptions> = Object.freeze({
   nonet: true,
-  compact: true,
-  noent: true // prevent https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
+  compact: true
 })
 
 export class XmlValidator extends BaseValidator {

tests/integration/Validation.XmlValidator.test.js

@@ -99,59 +99,5 @@ describe('Validation.XmlValidator', () => {
       const validationError = await validator.validate(input)
       assert.strictEqual(validationError, null)
     })
-
-    it('is not vulnerable to advisories/GHSA-mjr4-7xg5-pfvh', async () => {
-      /* report:
-      see https://github.com/advisories/GHSA-mjr4-7xg5-pfvh
-      see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
-      */
-      const validator = new XmlValidator(version)
-      /* POC payload:
-      see https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/#poc
-       */
-      const input = `<?xml version="1.0" encoding="UTF-8"?>
-        <!DOCTYPE note
-        [
-        <!ENTITY writer "` + 'A'.repeat(0x1234) + `">
-        ]>
-        <bom xmlns="http://cyclonedx.org/schema/bom/${version}">
-          <components>
-            <component type="library">
-              <name>&writer;</name><!-- << XML external entity (XXE) injection -->
-              <version>1.337</version>
-              ${version === '1.0' ? '<modified>false</modified>' : ''}
-            </component>
-          </components>
-        </bom>`
-      const validationError = await validator.validate(input)
-      assert.strictEqual(validationError, null)
-    })
-
-    it('is not vulnerable to advisories/GHSA-78h3-pg4x-j8cv', async () => {
-      /* report:
-      see https://github.com/advisories/GHSA-78h3-pg4x-j8cv
-      see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
-      */
-      const validator = new XmlValidator(version)
-      /* POC payload:
-      see https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/#poc
-      */
-      const input = `<?xml version="1.0" encoding="UTF-8"?>
-        <!DOCTYPE note
-        [
-        <!ENTITY writer PUBLIC "` + 'A'.repeat(8) + 'B'.repeat(8) + 'C'.repeat(8) + 'D'.repeat(8) + 'P'.repeat(8) + `" "JFrog Security">
-        ]>
-        <bom xmlns="http://cyclonedx.org/schema/bom/${version}">
-          <components>
-            <component type="library">
-              <name>&writer;</name><!-- << XML external entity (XXE) injection -->
-              <version>1.337</version>
-              ${version === '1.0' ? '<modified>false</modified>' : ''}
-            </component>
-          </components>
-        </bom>`
-      const validationError = await validator.validate(input)
-      assert.strictEqual(validationError, null)
-    })
   }))
 })