From: Dmitry Volyntsev Date: Thu, 2 Mar 2023 05:38:09 +0000 (-0800) Subject: XML: removed XML_PARSE_DTDVALID during a document parsing. X-Git-Tag: 0.7.11~8 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=f0881774d5adb7c647b4e020f0bb765bdd431083;p=njs.git XML: removed XML_PARSE_DTDVALID during a document parsing. When XML_PARSE_DTDVALID is enabled libxml2 parses and executes external entities present inside an xml document. This can lead to all the classic XXE exploits, including SSRF and local file disclosure. The issue was introduced in 99b9f83e4d4d (0.7.10). Thanks to @BitK_. --- diff --git a/external/njs_xml_module.c b/external/njs_xml_module.c index 4a3bda05..21f2f384 100644 --- a/external/njs_xml_module.c +++ b/external/njs_xml_module.c @@ -432,8 +432,7 @@ njs_xml_ext_parse(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, } tree->doc = xmlCtxtReadMemory(tree->ctx, (char *) data.start, data.length, - NULL, NULL, XML_PARSE_DTDVALID - | XML_PARSE_NOWARNING + NULL, NULL, XML_PARSE_NOWARNING | XML_PARSE_NOERROR); if (njs_slow_path(tree->doc == NULL)) { njs_xml_error(vm, tree, "failed to parse XML"); diff --git a/test/xml/external_entity_ignored.t.js b/test/xml/external_entity_ignored.t.js new file mode 100644 index 00000000..26ee2403 --- /dev/null +++ b/test/xml/external_entity_ignored.t.js @@ -0,0 +1,18 @@ +/*--- +includes: [compatXml.js, compatNjs.js] +flags: [] +paths: [] +---*/ + +let data = ` + +]> +&c; +`; + +if (has_njs()) { + const xml = require('xml'); + let doc = xml.parse(data); + assert.sameValue(doc.$root.$text, ""); +}