no-xxe-injection
Detects XML External Entity (XXE) injection vulnerabilities. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-se
Keywords: XXE, XML External Entity, CWE-611, SSRF, file disclosure, security, XML parsing
Detects XML External Entity (XXE) injection vulnerabilities. This rule is part of eslint-plugin-secure-coding.
💼 This rule is set to error in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-611 (XXE Injection) |
| Severity | Critical (CVSS 9.1) |
| Auto-Fix | ❌ Manual fix required |
| Category | Injection Prevention |
Vulnerability and Risk
Vulnerability: XML External Entity (XXE) vulnerabilities occur when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Risk: An attacker can use XXE to access local files on the server (Local File Inclusion), perform Server-Side Request Forgery (SSRF) attacks, or cause Denial of Service (DoS) via "Billion Laughs" attacks (recursive entity expansion).
Rule Details
XXE injection occurs when XML parsers process external entity references, allowing attackers to:
- Read sensitive local files (
/etc/passwd, config files) - Make HTTP requests to internal services (SSRF)
- Cause DoS through entity expansion ("billion laughs" attack)
- Perform port scanning of internal networks
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 📂 File Disclosure | Sensitive data exposure | Disable external entities |
| 🌐 SSRF | Internal network access | Use safe XML parsers |
| 💣 DoS | Service unavailability | Limit entity expansion |
Examples
❌ Incorrect
// Unsafe DOMParser usage
const parser = new DOMParser();
const doc = parser.parseFromString(userXml, 'text/xml');
// XML with dangerous entity declarations
const xml = `
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>
`;
// Parsing untrusted XML without validation
const data = xmlParser.parse(req.body.xml);✅ Correct
// Use safe parser with external entities disabled
const parser = new DOMParser();
// Set secure options
const doc = parser.parseFromString(sanitizedXml, 'text/xml');
// Validate and sanitize XML input
const safeXml = validateXml(userInput);
const data = xmlParser.parse(safeXml, {
noent: false, // Disable entity resolution
resolveExternals: false, // Disable external references
});
// Use JSON instead of XML when possible
const data = JSON.parse(userInput);Configuration
{
rules: {
'secure-coding/no-xxe-injection': ['error', {
safeParserOptions: ['noent', 'resolveExternals'],
xmlValidationFunctions: ['validateXml', 'sanitizeXml']
}]
}
}Options
| Option | Type | Default | Description |
|---|---|---|---|
safeParserOptions | string[] | ['noent', 'resolveExternals'] | Options that indicate safe configuration |
xmlValidationFunctions | string[] | ['validateXml', 'sanitizeXml'] | Functions that validate XML input |
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-611 OWASP:A05 CVSS:9.1 | XXE (XML External Entity) detected | CRITICAL
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A05_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-611 OWASP:A05 CVSS:9.1 |
| Issue Description | Specific vulnerability | XXE (XML External Entity) detected |
| Severity & Compliance | Impact assessment | CRITICAL |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Query from Variable
Why: Query strings from variables not traced.
// ❌ NOT DETECTED - Query from variable
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.execute(query);Mitigation: Always use parameterized queries.
Custom Query Builders
Why: Custom ORM/query builders not recognized.
// ❌ NOT DETECTED - Custom builder
customQuery.where(userInput).execute();Mitigation: Review all query builder patterns.
Template Engines
Why: Template-based queries not analyzed.
// ❌ NOT DETECTED - Template
executeTemplate('query.sql', { userId });Mitigation: Validate all template variables.
Further Reading
- OWASP XXE Prevention - Prevention cheat sheet
- CWE-611 - Official CWE entry
- PortSwigger XXE - XXE attack techniques
Related Rules
no-xpath-injection- XPath injection preventionno-sql-injection- SQL injection prevention
no-xpath-injection
Detects XPath injection vulnerabilities. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding).
no-zip-slip
Detects zip slip/archive extraction vulnerabilities. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-cod