When XML_PARSE_DTDVALID is enabled libxml2 parses and executes external
entities present inside an xml document. This can lead to all the
classic XXE exploits, including SSRF and local file disclosure.
The issue was introduced in
99b9f83e4d4d (0.7.10).
Thanks to @BitK_.
}
tree->doc = xmlCtxtReadMemory(tree->ctx, (char *) data.start, data.length,
- NULL, NULL, XML_PARSE_DTDVALID
- | XML_PARSE_NOWARNING
+ NULL, NULL, XML_PARSE_NOWARNING
| XML_PARSE_NOERROR);
if (njs_slow_path(tree->doc == NULL)) {
njs_xml_error(vm, tree, "failed to parse XML");
--- /dev/null
+/*---
+includes: [compatXml.js, compatNjs.js]
+flags: []
+paths: []
+---*/
+
+let data = `<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ENTITY c PUBLIC "bar" "extern_entity.txt">
+]>
+<root>&c;</root>
+`;
+
+if (has_njs()) {
+ const xml = require('xml');
+ let doc = xml.parse(data);
+ assert.sameValue(doc.$root.$text, "");
+}
projects / njs.git / commitdiff