Update dependency fast-xml-parser to v4 [SECURITY] - autoclosed #1

renovate · 2023-10-07T15:04:59Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fast-xml-parser	`3.21.1` -> `4.2.4`

GitHub Vulnerability Alerts

CVE-2023-34104

Impact

"fast-xml-parser" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time.

Patches

The problem has been resolved in v4.2.4

Workarounds

Avoid using DOCTYPE parsing by processEntities: false option.

References

Are there any links users can visit to find out more?

CVE-2023-26920

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

`v4.2.4`: Security Fix

Compare Source

Update to this release if you use entity parsing in Fast XML Parser.

`v4.0.0`: v4

Compare Source

Generating different combined, parser only, builder only, validator only browser bundles
Keeping cjs modules as they can be imported in cjs and esm modules both. Otherwise refer esm branch.

4.0.0-beta.8 / 2021-12-13

call tagValueProcessor for stop nodes

4.0.0-beta.7 / 2021-12-09

fix Validator bug when an attribute has no value but '=' only
XML Builder should suppress unpaired tags by default.
documents update for missing features
refactoring to use Object.assign
refactoring to remove repeated code

4.0.0-beta.6 / 2021-12-05

Support PI Tags processing
Support suppressBooleanAttributes by XML Builder for attributes with value true.

4.0.0-beta.5 / 2021-12-04

fix: when a tag with name "attributes"

4.0.0-beta.4 / 2021-12-02

Support HTML document parsing
skip stop nodes parsing when building the XML from JS object
Support external entites without DOCTYPE
update dev dependency: strnum v1.0.5 to fix long number issue

4.0.0-beta.3 / 2021-11-30

support global stopNodes expression like "*.stop"
support self-closing and paired unpaired tags
fix: CDATA should not be parsed.
Fix typings for XMLBuilder (#396)(By Anders Emil Salvesen)
supports XML entities, HTML entities, DOCTYPE entities

⚠️ 4.0.0-beta.2 / 2021-11-19

rename attrMap to attibutes in parser output when preserveOrder:true
supports unpairedTags

⚠️ 4.0.0-beta.1 / 2021-11-18

Parser returns an array now
- to make the structure common
- and to return root level detail
renamed cdataTagName to cdataPropName
Added commentPropName
fix typings

⚠️ 4.0.0-beta.0 / 2021-11-16

Name change of many configuration properties.
- attrNodeName to attributesGroupName
- attrValueProcessor to attributeValueProcessor
- parseNodeValue to parseTagValue
- ignoreNameSpace to removeNSPrefix
- numParseOptions to numberParseOptions
- spelling correction for suppressEmptyNode
Name change of cli and browser bundle to fxparser
isArray option is added to parse a tag into array
preserveOrder option is added to render XML in such a way that the result js Object maintains the order of properties same as in XML.
Processing behaviour of tagValueProcessor and attributeValueProcessor are changes with extra input parameters
j2xparser is renamed to XMLBuilder.
You need to build XML parser instance for given options first before parsing XML.
fix #327, #336: throw error when extra text after XML content
fix #330: attribute value can have '\n',
fix #350: attributes can be separated by '\n' from tagname

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Update dependency fast-xml-parser to v4 [SECURITY]

9b35b33

renovate bot changed the title ~~Update dependency fast-xml-parser to v4 [SECURITY]~~ Update dependency fast-xml-parser to v4 [SECURITY] - autoclosed Oct 8, 2023

renovate bot closed this Oct 8, 2023

renovate bot deleted the renovate/npm-fast-xml-parser-vulnerability branch October 8, 2023 04:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency fast-xml-parser to v4 [SECURITY] - autoclosed #1

Update dependency fast-xml-parser to v4 [SECURITY] - autoclosed #1

renovate bot commented Oct 7, 2023

Update dependency fast-xml-parser to v4 [SECURITY] - autoclosed #1

Update dependency fast-xml-parser to v4 [SECURITY] - autoclosed #1

Conversation

renovate bot commented Oct 7, 2023

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Impact

Patches

Workarounds

References

Release Notes

v4.2.4: Security Fix

v4.0.0: v4

Configuration

`v4.2.4`: Security Fix

`v4.0.0`: v4