Merge pull request #20048 from Napalys/js/xml_bomb_sinks

JS: Exclude patched libraries from `xml-bomb` sink
2025-12-16 16:53:25 +01:00 · 2025-08-29 08:10:55 +02:00
parent 0cc9ff8320 ea93b392f7
commit bafe22c50c
11 changed files with 23 additions and 39 deletions
--- a/javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md
+++ b/javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Removed `libxmljs` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/GNOME/libxml2/blob/0c948334a8f5c66d50e9f8992e62998017dc4fc6/NEWS#L905-L908) that prevents XML bomb attacks.
--- a/javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll
@@ -49,9 +49,7 @@ module XML {
    override JS::Expr getSourceArgument() { result = this.getArgument(0) }

    override predicate resolvesEntities(EntityKind kind) {
-      // internal entities are always resolved
-      kind = InternalEntity()
-      or
+      not kind = InternalEntity() and
      // other entities are only resolved if the configuration option `noent` is set to `true`
      exists(JS::Expr noent |
        this.hasOptionArgument(1, "noent", noent) and
@@ -126,8 +124,9 @@ module XML {
    override JS::Expr getSourceArgument() { result = this.getArgument(0) }

    override predicate resolvesEntities(EntityKind kind) {
-      // entities are resolved by default
-      any()
+      // SAX parsers in libxmljs also inherit libxml2's protection against XML bombs
+      kind = ExternalEntity(_) or
+      kind = ParameterEntity(true)
    }

    override DataFlow::Node getAResult() {
@@ -149,8 +148,9 @@ module XML {
    override JS::Expr getSourceArgument() { result = this.getArgument(0) }

    override predicate resolvesEntities(EntityKind kind) {
-      // entities are resolved by default
-      any()
+      // SAX push parsers in libxmljs also inherit libxml2's protection against XML bombs
+      kind = ExternalEntity(_) or
+      kind = ParameterEntity(true)
    }

    override DataFlow::Node getAResult() {
--- a/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected
@@ -5,10 +5,6 @@
 | domparser.js:11:57:11:59 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:11:57:11:59 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
 | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | expat.js:6:16:6:36 | req.par ... e-xml") | user-provided value |
 | jquery.js:4:14:4:16 | src | jquery.js:2:13:2:36 | documen ... .search | jquery.js:4:14:4:16 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:36 | documen ... .search | user-provided value |
-| libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
-| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
-| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |
-| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value |
 edges
 | closure.js:2:7:2:36 | src | closure.js:3:24:3:26 | src | provenance |  |
 | closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src | provenance |  |
@@ -31,8 +27,4 @@ nodes
 | jquery.js:2:7:2:36 | src | semmle.label | src |
 | jquery.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search |
 | jquery.js:4:14:4:16 | src | semmle.label | src |
-| libxml.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
-| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
-| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
-| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
 subpaths
--- a/javascript/ql/test/query-tests/Security/CWE-776/libxml.js
+++ b/javascript/ql/test/query-tests/Security/CWE-776/libxml.js
@@ -2,5 +2,5 @@ const express = require('express');
 const libxmljs = require('libxmljs');

 express().get('/some/path', function(req) {
-  libxmljs.parseXml(req.param("some-xml")); // $ Alert - libxml expands internal general entities by default
+  libxmljs.parseXml(req.param("some-xml"));
 });
--- a/javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js
+++ b/javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js
@@ -2,5 +2,5 @@ const express = require('express');
 const libxmljs = require('libxmljs');

 express().get('/some/path', function(req) {
-  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert - unguarded entity expansion
+  libxmljs.parseXml(req.param("some-xml"), { noent: true });
 });
--- a/javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js
+++ b/javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js
@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');

 express().get('/some/path', function(req) {
  const parser = new libxmljs.SaxParser();
-  parser.parseString(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
+  parser.parseString(req.param("some-xml"));
 });
--- a/javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js
+++ b/javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js
@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');

 express().get('/some/path', function(req) {
  const parser = new libxmljs.SaxPushParser();
-  parser.push(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
+  parser.push(req.param("some-xml"));
 });