Advisories for Npm/Fast-Xml-Parser package

2024
2023

fast-xml-parser regex vulnerability patch could be improved from a safety perspective

Summary This is a comment on https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw and the patches fixing it. Details The code which validates a name calls the validator: https://github.com/NaturalIntelligence/fast-xml-parser/blob/ecf6016f9b48aec1a921e673158be0773d07283e/src/xmlparser/DocTypeReader.js#L145-L153 This checks for the presence of an invalid character. Such an approach is always risky, as it is so easy to forget to include an invalid character in the list. A safer approach is to validate entity names against the XML specification: https://www.w3.org/TR/xml11/#sec-common-syn - an ENTITY name …

fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

Impact As a part of this vulnerability, user was able to se code using proto as a tag or attribute name. const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser"); let XMLdata = "<proto><polluted>hacked</polluted></proto>" const parser = new XMLParser(); let jObj = parser.parse(XMLdata); console.log(jObj.polluted) // should return hacked Patches The problem has been patched in v4.1.2 Workarounds User can check for "proto" in the XML string before parsing it to the parser. …

Inefficient Regular Expression Complexity

fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the …