codeql/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js at 7bf69d92ca731a0c9cf0ce0c25338e883a25adf2 · asgerf/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
const express = require('express');
const libxmljs = require('libxmljs');

express().get('/some/path', function (req) {
  // NOT OK: unguarded entity expansion
  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert
});

express().post('/some/path', function (req, res) {
  // NOT OK: unguarded entity expansion
  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert

  // NOT OK: unguarded entity expansion
  libxmljs.parseXmlString(req.param("some-xml"), { noent: true }) // $ Alert
  // NOT OK: unguarded entity expansion
  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: true })// $ Alert

  // OK - no entity expansion
  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: false })
});