Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

JS: Exclude patched libraries fromxml-bomb sink#20048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
Napalys wants to merge4 commits intogithub:main
base:main
Choose a base branch
Loading
fromNapalys:js/xml_bomb_sinks

Conversation

Napalys
Copy link
Contributor

@NapalysNapalys commentedJul 15, 2025
edited
Loading

Removedlibxmljs andlxml from XML bomb sink list, as their underlying C library have beenpatched and are no longer vulnerable.

@NapalysNapalys marked this pull request as ready for reviewJuly 16, 2025 08:44
@CopilotCopilotAI review requested due to automatic review settingsJuly 16, 2025 08:44
@NapalysNapalys requested review froma team ascode ownersJuly 16, 2025 08:44
Copy link
Contributor

@CopilotCopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This PR updates XML bomb vulnerability detection by removinglibxmljs andlxml from the list of vulnerable XML parsing sinks. The underlying libxml2 C library has been patched with entity reference loop detection that prevents XML bomb attacks, making these libraries no longer vulnerable to such attacks.

Key changes:

  • Removed XML bomb vulnerability detection forlibxmljs in JavaScript
  • Removed XML bomb vulnerability detection forlxml in Python
  • Updated test expectations to reflect the reduced number of detected vulnerabilities

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
FileDescription
javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qllUpdated libxmljs parsers to only resolve external/parameter entities, not internal entities
python/ql/lib/semmle/python/frameworks/Lxml.qllRemoved XML bomb detection logic for lxml parsers with explanatory comment
javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.mdAdded changelog entry documenting libxmljs changes
python/ql/lib/change-notes/2025-07-15-xml-bomb-sinks-python.mdAdded changelog entry documenting lxml changes
Various test filesUpdated test expectations and removed XML bomb alert comments

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

Copilot code reviewCopilotCopilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1 participant
@Napalys
[8]ページ先頭
©2009-2025 Movatter.jp