fiznool / body-parser-xml Goto Github PK

👋 Hello, @fiznool - a potential high severity Prototype Pollution vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-fiznool/body-parser-xml for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

Confused or need more help?

• Join us on our Discord and a member of our team will be happy to help! 🤗

• Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

npm audit is informing me of this vulnerability:

xml2js  <=0.4.23
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js
  body-parser-xml  *
  Depends on vulnerable versions of xml2js
  node_modules/body-parser-xml

xml2js released 0.5.0 version with this fix, please update the dependency.

as described in this issue, I import lib as follows:

import bodyParser from "body-parser";
import bodyParserXml from "body-parser-xml";

However, then I get

(node:98360) UnhandledPromiseRejectionWarning: TypeError: body_parser_xml_1.default is not a function

Usage with require works well, but is not wanted by Eslint.
Do you have suggestion how to fix this?

Hi,
I was trying to open a PR but i have trouble with permissions.

In some cases xml2js.Parser parseString() can throw an error after execute the callback.

This leads to the emission of a node 'uncaughtException' in the express application.

Following lines (index.js 32-40)

parser.parseString(req.body, function(err, xml) {
    if(err) {
        err.status = 400;
        return next(err);
    }

    req.body = xml || req.body;
    next();
});

Should be wrapped

try {
    parser.parseString(req.body, function(err, xml) {
        if(err) {
            err.status = 400;
            return next(err);
        }
    
        req.body = xml || req.body;
        next();
    });
} catch (err) {
    // in some cases xml2js.Parser parseString() can
    // throw an error after execute the callback
    // see it source code for more details
}

Hi Could you update your dev dependencies, as they are out of date. This is a great module and I would hate for it to break down! Thanks!

With latest versions of express, body-parser is integrated in the express itself and provides the same middleware (Docs: https://expressjs.com/en/api.html#express.json). It would be good to use Express middleware directly for xml as well, instead of body-parser.

Example:

const express = require('express');
require('body-parser-xml')(express);

const app = express();
app.use(express.xml());

This module uses bodyparser.text() to parse body as text and passes options object to configure it.

As you can see here, bodyparser accepts options.type options as function, which allows user to control type matching precisely.

Unfortunately, in body-parser-xml there is a line where it check if passed options.type is not an array and convert it into array thus breaking default bodyparser.text()'s ability to use user's function, because that function checks if passed 'type' option is a function

How it should go with es6 import?

[email protected] was found to have a regression, per this issue: Leonidas-from-XIV/node-xml2js#677

It was resolved in 0.6.0. Is it possible to update the xml2js dependency to "^0.6.0"?