allow to use libxml2-wasm for XML validation
#1184
Conversation
Due to libxmljs2 not being maintained and contains a vulnerability, a replacement needed to be found. This commit replaces it with libxml2-wasm, which is a new, but maintained library, which serves the purpose of validating XML. The implementation is as close the the previous library in regards to flags passed to libxml2, but only adapted to a different interface and the recommendation to dispose all objects. This is my first contribution to this project, and typescript isn't my usual language, so comments are welcome. Resolves: CycloneDX#1079 Signed-off-by: Leon Grave <[email protected]>
|
thanks for donating this feature, @SierraNL . let me clarify some things:
this is not the case. The current
This is true in the long term, but we do not intend to replace |
| const schema = XmlDocument.fromString( | ||
| await readFile(schemaPath, 'utf-8'), | ||
| { | ||
| option: ParseOption.XML_PARSE_NONET | ParseOption.XML_PARSE_COMPACT, |
There was a problem hiding this comment.
is this XEE safe? see https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
There was a problem hiding this comment.
The interface for this wrapper is somewhat different, building the parse options is combining the flags you want on. In the other implementation it's an object where they could be turned on and off explicitely. So this should result in the same options.
I also added this implementation to the xmlValidator tests, and that includes an XXE test.
There was a problem hiding this comment.
lets see how the tests turn out.
Signed-off-by: Leon Grave <[email protected]>
Signed-off-by: Leon Grave <[email protected]>
Signed-off-by: Leon Grave <[email protected]>
| @@ -22,7 +22,8 @@ There are several implementations for this: | |||
| * [`libxmljs3`](https://www.npmjs.com/package/libxmljs3) | |||
| * unmaintained copy of `libxmljs2` | |||
| * ! DO NOT USE ! | |||
| * Any alternative? Please open a pull-request to add them. | |||
| const validator = XsdValidator.fromDoc(schema); | ||
|
|
||
| return function (data: string): null | ValidationError { | ||
| const doc = XmlDocument.fromString(data, { option: ParseOption.XML_PARSE_NONET | ParseOption.XML_PARSE_COMPACT }); |
There was a problem hiding this comment.
the options should be a constant, that is created outside the function.
| } | ||
|
|
||
| doc.dispose(); | ||
| validator.dispose(); |
There was a problem hiding this comment.
really free/dispose the validator and schema here?
There was a problem hiding this comment.
Good point, this will go wrong the second call. I could just not dispose the validator and the schema. But the library emphasises proper disposing (https://jameslan.github.io/libxml2-wasm/v0.4/documents/Memory_Management.html). Here I'm really lacking in Typescript knowledge on how to solve this, could I use a using here?
There was a problem hiding this comment.
regarding using, read here: https://www.totaltypescript.com/typescript-5-2-new-keyword-using
regarding manually disposing/freeing: maybe just try it out. in the end, it all is javascript - just see what you can do.
Signed-off-by: Leon Grave <[email protected]>
jkowalleck
changed the title
libxml2-wasm for XML validation
Due to libxmljs2 not being maintained and contains a vulnerability, a replacement needed to be found. This commit replaces it with libxml2-wasm, which is a new, but maintained library, which serves the purpose of validating XML.
The implementation is as close the the previous library in regards to flags passed to libxml2, but only adapted to a different interface and the recommendation to dispose all objects.
This is my first contribution to this project, and typescript isn't my usual language, so comments are welcome.
related to: #1079