Skip to content

Commit

Permalink
fix: revert to v6.6.1
Browse files Browse the repository at this point in the history
Signed-off-by: Jan Kowalleck <[email protected]>
  • Loading branch information
jkowalleck committed May 7, 2024
1 parent 974c558 commit 5e5e1e0
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 57 deletions.
6 changes: 6 additions & 0 deletions HISTORY.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@ All notable changes to this project will be documented in this file.

<!-- add unreleased items here -->

## 6.7.1 -- 2024-05-07

Reverted v6.7.0, back to v6.6.1

## 6.7.0 -- 2024-05-07

!! THIS VERSION GOT YANKED !!

* Changed
* The provided XML validation capabilities no longer supports external entities (via [#1063]; concerns [#1061])
This is considered a security measure to prevent XML external entity (XXE) injection.
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cyclonedx/cyclonedx-library",
"version": "6.7.0",
"version": "6.6.1",
"description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
"license": "Apache-2.0",
"keywords": [
Expand Down
3 changes: 1 addition & 2 deletions src/validation/xmlValidator.node.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,7 @@ async function getParser (): Promise<typeof parseXml> {

const xmlParseOptions: Readonly<ParserOptions> = Object.freeze({
nonet: true,
compact: true,
noent: true // prevent https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
compact: true
})

export class XmlValidator extends BaseValidator {
Expand Down
54 changes: 0 additions & 54 deletions tests/integration/Validation.XmlValidator.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -99,59 +99,5 @@ describe('Validation.XmlValidator', () => {
const validationError = await validator.validate(input)
assert.strictEqual(validationError, null)
})

it('is not vulnerable to advisories/GHSA-mjr4-7xg5-pfvh', async () => {
/* report:
see https://github.com/advisories/GHSA-mjr4-7xg5-pfvh
see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
*/
const validator = new XmlValidator(version)
/* POC payload:
see https://research.jfrog.com/vulnerabilities/libxmljs2-attrs-type-confusion-rce-jfsa-2024-001034097/#poc
*/
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note
[
<!ENTITY writer "` + 'A'.repeat(0x1234) + `">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/${version}">
<components>
<component type="library">
<name>&writer;</name><!-- << XML external entity (XXE) injection -->
<version>1.337</version>
${version === '1.0' ? '<modified>false</modified>' : ''}
</component>
</components>
</bom>`
const validationError = await validator.validate(input)
assert.strictEqual(validationError, null)
})

it('is not vulnerable to advisories/GHSA-78h3-pg4x-j8cv', async () => {
/* report:
see https://github.com/advisories/GHSA-78h3-pg4x-j8cv
see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
*/
const validator = new XmlValidator(version)
/* POC payload:
see https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098/#poc
*/
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note
[
<!ENTITY writer PUBLIC "` + 'A'.repeat(8) + 'B'.repeat(8) + 'C'.repeat(8) + 'D'.repeat(8) + 'P'.repeat(8) + `" "JFrog Security">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/${version}">
<components>
<component type="library">
<name>&writer;</name><!-- << XML external entity (XXE) injection -->
<version>1.337</version>
${version === '1.0' ? '<modified>false</modified>' : ''}
</component>
</components>
</bom>`
const validationError = await validator.validate(input)
assert.strictEqual(validationError, null)
})
}))
})

0 comments on commit 5e5e1e0

Please sign in to comment.