Merge pull request #20048 from Napalys/js/xml_bomb_sinks

JS: Exclude patched libraries from `xml-bomb` sink

javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Removed `libxmljs` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/GNOME/libxml2/blob/0c948334a8f5c66d50e9f8992e62998017dc4fc6/NEWS#L905-L908) that prevents XML bomb attacks.

javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll

@@ -49,9 +49,7 @@ module XML {
     override JS::Expr getSourceArgument() { result = this.getArgument(0) }
 
     override predicate resolvesEntities(EntityKind kind) {
-      // internal entities are always resolved
-      kind = InternalEntity()
-      or
+      not kind = InternalEntity() and
       // other entities are only resolved if the configuration option `noent` is set to `true`
       exists(JS::Expr noent |
         this.hasOptionArgument(1, "noent", noent) and
@@ -126,8 +124,9 @@ module XML {
     override JS::Expr getSourceArgument() { result = this.getArgument(0) }
 
     override predicate resolvesEntities(EntityKind kind) {
-      // entities are resolved by default
-      any()
+      // SAX parsers in libxmljs also inherit libxml2's protection against XML bombs
+      kind = ExternalEntity(_) or
+      kind = ParameterEntity(true)
     }
 
     override DataFlow::Node getAResult() {
@@ -149,8 +148,9 @@ module XML {
     override JS::Expr getSourceArgument() { result = this.getArgument(0) }
 
     override predicate resolvesEntities(EntityKind kind) {
-      // entities are resolved by default
-      any()
+      // SAX push parsers in libxmljs also inherit libxml2's protection against XML bombs
+      kind = ExternalEntity(_) or
+      kind = ParameterEntity(true)
     }
 
     override DataFlow::Node getAResult() {