JS: Exclude patched libraries from xml-bomb sink#20048
Merged
Napalys merged 4 commits intogithub:mainfrom Aug 29, 2025
Merged
Conversation
Napalys
force-pushed
the
js/xml_bomb_sinks
branch
from
75b3c96 to
1851deb
Compare
Napalys
force-pushed
the
js/xml_bomb_sinks
branch
from
9ee3e1d to
ea93b39
Compare
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates XML bomb vulnerability detection by removing libxmljs and lxml from the list of vulnerable XML parsing sinks. The underlying libxml2 C library has been patched with entity reference loop detection that prevents XML bomb attacks, making these libraries no longer vulnerable to such attacks.
Key changes:
- Removed XML bomb vulnerability detection for
libxmljsin JavaScript - Removed XML bomb vulnerability detection for
lxmlin Python - Updated test expectations to reflect the reduced number of detected vulnerabilities
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll | Updated libxmljs parsers to only resolve external/parameter entities, not internal entities |
| python/ql/lib/semmle/python/frameworks/Lxml.qll | Removed XML bomb detection logic for lxml parsers with explanatory comment |
| javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md | Added changelog entry documenting libxmljs changes |
| python/ql/lib/change-notes/2025-07-15-xml-bomb-sinks-python.md | Added changelog entry documenting lxml changes |
| Various test files | Updated test expectations and removed XML bomb alert comments |
owen-mc
approved these changes
Aug 28, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removed
libxmljsandlxmlfrom XML bomb sink list, as their underlying C library have been patched and are no longer vulnerable.