Typescript Unvalidated Xml Parsed In Vm

Description

Detects when XML data is parsed within a Node.js VM context without proper validation, which could allow XML-based attacks like XXE (XML External Entity) injection. This is particularly risky since VM contexts are often used to execute untrusted code with inadequate security controls.

Weakness:

027 - Insecure file upload

Category: Access Subversion

Detection Strategy

• Check if the source file imports both 'vm' and 'libxmljs2' modules

• Look for calls to runInContext method in the code

• Verify if the first argument to runInContext is a string literal

• Examine if the VM context parses XML content in a potentially dangerous way

Vulnerable code example

const libxml = require('libxmljs2')

function parseXmlFile(xmlData) {
    // Vulnerable: enables external entity processing with noent:true
    const xmlDoc = libxml.parseXml(xmlData, { 
        noblanks: true,
        noent: true,  
        nocdata: true ...

✅ Secure code example

const libxml = require('libxmljs2')

function parseXmlFile(xmlData) {
    // Secure: disable external entity processing with noent:false
    const xmlDoc = libxml.parseXml(xmlData, { 
        noblanks: true,
        noent: false,  // Prevents XXE attacks by disabling external entities
        nocdata: true ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.