From f0881774d5adb7c647b4e020f0bb765bdd431083 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Wed, 1 Mar 2023 21:38:09 -0800 Subject: [PATCH] XML: removed XML_PARSE_DTDVALID during a document parsing. When XML_PARSE_DTDVALID is enabled libxml2 parses and executes external entities present inside an xml document. This can lead to all the classic XXE exploits, including SSRF and local file disclosure. The issue was introduced in 99b9f83e4d4d (0.7.10). Thanks to @BitK_. --- external/njs_xml_module.c | 3 +-- test/xml/external_entity_ignored.t.js | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 test/xml/external_entity_ignored.t.js diff --git a/external/njs_xml_module.c b/external/njs_xml_module.c index 4a3bda05..21f2f384 100644 --- a/external/njs_xml_module.c +++ b/external/njs_xml_module.c @@ -432,8 +432,7 @@ njs_xml_ext_parse(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, } tree->doc = xmlCtxtReadMemory(tree->ctx, (char *) data.start, data.length, - NULL, NULL, XML_PARSE_DTDVALID - | XML_PARSE_NOWARNING + NULL, NULL, XML_PARSE_NOWARNING | XML_PARSE_NOERROR); if (njs_slow_path(tree->doc == NULL)) { njs_xml_error(vm, tree, "failed to parse XML"); diff --git a/test/xml/external_entity_ignored.t.js b/test/xml/external_entity_ignored.t.js new file mode 100644 index 00000000..26ee2403 --- /dev/null +++ b/test/xml/external_entity_ignored.t.js @@ -0,0 +1,18 @@ +/*--- +includes: [compatXml.js, compatNjs.js] +flags: [] +paths: [] +---*/ + +let data = ` + +]> +&c; +`; + +if (has_njs()) { + const xml = require('xml'); + let doc = xml.parse(data); + assert.sameValue(doc.$root.$text, ""); +} -- 2.47.3