logo

Database

Typescript Xml External Entity

Description

Detects XML External Entity (XXE) vulnerabilities by identifying unsafe XML parser configurations. XXE vulnerabilities can allow attackers to disclose local files, perform server-side request forgery, or cause denial of service through external entity processing.

Weakness:

083 - XML injection (XXE)

Category: Unexpected Injection

Detection Strategy

    Check XML parser instantiation and configuration code

    Look for XML parsers that don't explicitly disable external entity processing

    Flag XML processing code where external entities are not explicitly disabled

    Identify XML parsers that use default unsafe configurations which may allow entity expansion

Vulnerable code example

const libxml = require('libxmljs2')
const vm = require('vm')

function parseXmlData(file) {
  const sandbox = { libxml, file }
  vm.createContext(sandbox)
  // Vulnerable: Unsafe XML parsing with entity expansion enabled (noent: true)
  vm.runInContext('libxml.parseXml(file, { noent: true })', sandbox)...

✅ Secure code example

const libxml = require('libxmljs2')
const vm = require('vm')

function parseXmlData(file) {
  // Create minimal sandbox with only required references
  const sandbox = { 
    libxml,
    file ...