Typescript Noent True Allows Xxe
Description
Detects XML External Entity (XXE) vulnerabilities by identifying XML parsers configured with NOENT=true, which allows processing of external entities. This dangerous configuration can lead to XXE attacks including file disclosure, server-side request forgery, and denial of service.
Detection Strategy
• Check XML parser configuration settings and initialization code
• Flag instances where NOENT or similar entity processing options are set to true
• Report vulnerability when XML parser is configured to process external entities
Vulnerable code example
const libxmljs = require('libxmljs');
const fs = require('fs');
function parseXml() {
const xml = fs.readFileSync('input.xml', 'utf8');
// Vulnerable: enables external entity processing (XXE)
const xmlDoc = libxmljs.parseXmlString(xml, {...✅ Secure code example
const libxmljs = require('libxmljs');
const fs = require('fs');
function parseXml() {
const xml = fs.readFileSync('input.xml', 'utf8');
// Safe: noent defaults to false, preventing XXE attacks
const xmlDoc = libxmljs.parseXmlString(xml);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.