RSTR-XXE-004 — xml2js permissive parser options

Summary

xml2js is configured with explicitArray: false as the only safety toggle — entity expansion is still on by default. The application is exposed to billion-laughs DoS and to entity-based data exfiltration when the upstream library version permits it.

This rule is intentionally narrower than the lxml / libxmljs ones: it flags the "I tweaked parser options for convenience but didn't think about security" pattern.

Severity

Medium.

Languages

JavaScript, TypeScript.

What rastray flags

const parser = new xml2js.Parser({ explicitArray: false }); // ← flagged
parser.parseString(payload, cb);

What rastray deliberately does not flag

• new xml2js.Parser() with default options.
• Parser constructions where explicitCharkey: true and explicit entity-handling options are also set.

How to fix it

Switch to a parser with safer defaults (fast-xml-parser, which disables entity expansion) or validate the input before parsing:

import { XMLParser } from 'fast-xml-parser';

const parser = new XMLParser({
  ignoreAttributes: false,
  processEntities: false,        // explicitly off
});
const json = parser.parse(payload);

If you must keep xml2js, add an upstream size/depth limit (HTTP body limit, a regex-based reject for <!DOCTYPE/<!ENTITY blocks) and suppress with a comment noting the mitigation.

References

• fast-xml-parser docs
• OWASP XXE Prevention Cheat Sheet
• CWE-776: Improper Restriction of Recursive Entity References (Billion Laughs)