@hclsoftware/secagent/src/Rules/HookRules/XXESinkRule.js

IAST agent

//IASTIGNORE
/*
 * ****************************************************
 * Licensed Materials - Property of HCL.
 * (c) Copyright HCL Technologies Ltd. 2017, 2025.
 * Note to U.S. Government Users *Restricted Rights.
 * ****************************************************
 */

const HookRule = require('./HookRule')
const TaintTracker = require('../../TaintTracker')
const StackInfo = require('../../StackInfo')
const Vulnerability = require("../../Vulnerability");

class XXESinkRule extends HookRule {
    doHook(hookValues) {
        const parseOptions = hookValues.args[1]
        // noent feature define if DTD is allowed, by default it is safe(false). if user add noent=true then vulnerable
        if (parseOptions != null && parseOptions.noent) {
            const param = HookRule.getActualParam(this.data.from, hookValues)
            const parameters = StackInfo.getParamsStringArrayPostHook(hookValues.that, hookValues.simpleThat, hookValues.methodName, hookValues.simpleArgs, hookValues.simpleRet)
            TaintTracker.sinkTrigger(param, Vulnerability.XXE, parameters)
        }
    }
}

module.exports = XXESinkRule