feat: XML Validator prevent parsing XXE (#1063)

jkowalleck · web-flow · commit 7c3409657616 · 2024-05-07T15:23:04.000+02:00
prevent the XmlValidation from XXE parsing - prevent XML external entity (XXE) injection This is considered a security measure. fixes #1061 as described here: #1063 (comment) --------- Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
diff --git a/HISTORY.md b/HISTORY.md
@@ -6,6 +6,13 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+* Changed
+  * The provided XML validation capabilities no longer supports external entities (via [#1063]; concerns [#1061])  
+    This is considered a security measure to prevent XML external entity (XXE) injection.
+
+[#1061]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
+[#1063]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063
+
 ## 6.6.1 -- 2024-05-06
 
 * Fixed
diff --git a/src/validation/xmlValidator.node.ts b/src/validation/xmlValidator.node.ts
@@ -48,7 +48,8 @@ async function getParser (): Promise<typeof parseXml> {
 
 const xmlParseOptions: Readonly<ParserOptions> = Object.freeze({
   nonet: true,
-  compact: true
+  compact: true,
+  noent: true // prevent https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
 })
 
 export class XmlValidator extends BaseValidator {
diff --git a/tests/integration/Validation.XmlValidator.test.js b/tests/integration/Validation.XmlValidator.test.js
@@ -99,5 +99,59 @@ describe('Validation.XmlValidator', () => {
       const validationError = await validator.validate(input)
       assert.strictEqual(validationError, null)
     })
+
+    it('is not vulnerable to advisories/GHSA-mjr4-7xg5-pfvh', async () => {
+      /* report:
+      see https://github.com/advisories/GHSA-mjr4-7xg5-pfvh
+      see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
+      */
+      const validator = new XmlValidator(version)
+      /* POC payload:
+      see https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/#poc
+       */
+      const input = `<?xml version="1.0" encoding="UTF-8"?>
+        <!DOCTYPE note
+        [
+        <!ENTITY writer "` + 'A'.repeat(0x1234) + `">
+        ]>
+        <bom xmlns="http://cyclonedx.org/schema/bom/${version}">
+          <components>
+            <component type="library">
+              <name>&writer;</name><!-- << XML external entity (XXE) injection -->
+              <version>1.337</version>
+              ${version === '1.0' ? '<modified>false</modified>' : ''}
+            </component>
+          </components>
+        </bom>`
+      const validationError = await validator.validate(input)
+      assert.strictEqual(validationError, null)
+    })
+
+    it('is not vulnerable to advisories/GHSA-78h3-pg4x-j8cv', async () => {
+      /* report:
+      see https://github.com/advisories/GHSA-78h3-pg4x-j8cv
+      see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
+      */
+      const validator = new XmlValidator(version)
+      /* POC payload:
+      see https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/#poc
+      */
+      const input = `<?xml version="1.0" encoding="UTF-8"?>
+        <!DOCTYPE note
+        [
+        <!ENTITY writer PUBLIC "` + 'A'.repeat(8) + 'B'.repeat(8) + 'C'.repeat(8) + 'D'.repeat(8) + 'P'.repeat(8) + `" "JFrog Security">
+        ]>
+        <bom xmlns="http://cyclonedx.org/schema/bom/${version}">
+          <components>
+            <component type="library">
+              <name>&writer;</name><!-- << XML external entity (XXE) injection -->
+              <version>1.337</version>
+              ${version === '1.0' ? '<modified>false</modified>' : ''}
+            </component>
+          </components>
+        </bom>`
+      const validationError = await validator.validate(input)
+      assert.strictEqual(validationError, null)
+    })
   }))
 })
