Vulnerable to XML Entity Expansion Injection?

[UIDecypher]

Recently, vulnerability scanning tools discovered "a vulnerability" with our project which has an integration with passport-saml. Although our nodejs server functions use sanitized JSON for inbound communication, it was discovered that through the passport-saml authentication process we have inbound SAML XML. The security team wanted assurances that passport-saml wasn't vulnerable to this attack. In reviewing documented cases which seem related to the vulnerability, we found two listed discoveries (attached urls below) that don't seem tied to a corrective action in any Passport-saml commits. Is this a real problem? Or does passport sanitize the signed assertion XML document it gets from the Client/IDP?

///Here is our scanned results:

Severity: High

Security Risks:
XML entities act as string substitution macros in an XML block. Using XML parsers configured to not prevent nor limit document type definition (DTD) entity resolution may expose the parser to an XML entity expansion (XEE) injection, also known as an XML bomb attack.

Create an XML document using following features–
Inline DTD (Document type Definition). Instead of referencing external DTD, define inline DTD as below
e.g.

· Define an entity
e.g.

]>
· Nest the declared entity recursively
e.g.

]>
&lol2;
Test multiple times, each time increasing the level of recursion. Notice delayed response from server with each increment.

The safest way to prevent XXE is always to disable DTDs (External Entities) completely.

Two related SAML XML CVE/CWE's?:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21366
https://cwe.mitre.org/data/definitions/611.html

[markstos]

@UIDecypher This a volunteer-staffed project and we would welcome your help investigating this. By reviewing the source, you can confirm which libraries we use for XML parsing, and then visit the projects for the dependency and confirm if they are patched for this issue.

I'm also moving this to a "Discussion" for now, because you are asking if the project is vulnerable, not reporting that you've confirmed that it is.

[markstos]

The write up the OP provided includes steps to produce. A great way to check if this project is vulnerable is to manually submit such broken XML and see what happens, or contribute a test to our test suite which includes such malformed XML to test to see if it's handled correctly.

[jupenur]

@UIDecypher @markstos I'm the researcher who found the vulnerability in xmldom. It's not an XXE vulnerability like some tools claim (looking at you, Snyk), but it does have a critical impact on passport-saml versions that predate this change: #551

There is also a new vulnerability in xmldom, GHSA-5fg8-2547-mr8q, with a similar impact on passport-saml; and unlike the previous one, this one has NOT been patched in the latest versions of passport-saml. Maintainers: I urge you to upgrade your dependwncies and publish a new release as soon as possible.

There's some additional context in our recent blog post: https://mattermost.com/blog/securing-xml-implementations-across-the-web/

[markstos]

I believe this was fixed in the 3.1.2 release of passport-saml when we upgraded xmldom to 0.7.2. Ref: #633