Xml External Entities in Adonisjs

XML External Entity (XXE) injection occurs when an application processes XML input that references external entities, allowing an attacker to disclose internal files, trigger SSRF, or perform denial-of-service via billion-laughs attacks. In Adonisjs, this risk primarily arises when the framework is used to parse XML payloads—for example, when consuming SOAP services or processing uploaded XML configuration or document files. Adonisjs itself does not force you to use an XML parser, so the danger emerges from the libraries you integrate, such as xml2js or fast-xml-parser, combined with Node.js XML parsers that can be configured to resolve external entities.

Adonisjs-specific code paths where XXE can appear include controller actions that accept XML payloads via HTTP requests, jobs that process uploaded XML files, and server code that parses XML in server-side rendering or configuration workflows. A typical vulnerable pattern is using Node’s built-in xml2js parser with permissive settings that resolve external entities. For instance, if you build an endpoint that accepts an XML upload and parses it without disabling external entity resolution, an attacker can supply an XML body like <!ENTITY xxe SYSTEM "file:///etc/passwd"><root>&xxe;</root> to trigger local file disclosure. In Adonisjs, this often surfaces in routes defined under start/routes.ts where raw XML bodies are read and forwarded to a parser without hardening the parser configuration.

Another Adonisjs-specific scenario involves SSRF via external entities. If the chosen XML parser is configured to fetch external DTDs, an attacker can reference internal metadata services or internal network endpoints. For example, an XML payload containing <!ENTITY % dtd SYSTEM "http://internal-service.local/dtd">%dtd; can cause the parser to make unintended outbound HTTP requests. Adonisjs jobs or CLI commands that import and parse XML exports from third-party systems are especially susceptible if the parser is not explicitly configured to prohibit external entities and network access.

To detect XXE in Adonisjs applications, focus on code review and runtime scanning of XML-handling endpoints. Look for places where XML payloads are accepted—such as file uploads with .xml extensions, webhook handlers consuming XML, or API routes that parse SOAP messages. Review usages of XML parsing libraries and check whether they resolve external entities. With xml2js, avoid options like explicitArray: false without also disabling entity resolution; with fast-xml-parser, ensure ignoreEntities is enabled. In Adonisjs, prioritize routes under start/routes.ts, jobs in app/Jobs, and any service files that invoke XML parsers.

Using middleBrick, you can scan your Adonisjs API endpoints for XXE as part of the standard 12 security checks. Because middleBrick performs unauthenticated, black-box scanning, it tests inputs that accept XML content and analyzes the runtime behavior without requiring source code access. The scan validates whether the endpoint is vulnerable to entity injection by attempting to reference local files and external resources in a controlled manner. You can run the scan from your terminal with the CLI tool: middlebrick scan https://your-adonisjs-app.com/api/upload-xml. The results include a per-category breakdown and prioritized findings with severity and remediation guidance, helping you determine whether your XML parsing paths are exposing external entity resolution.

For deeper validation, combine middleBrick’s findings with manual testing. Use crafted XML payloads in Postman or curl to confirm whether external entities are resolved. If your Adonisjs app exposes an OpenAPI spec, middleBrick’s spec analysis can highlight endpoints accepting XML content types, allowing you to correlate runtime scan results with schema definitions. This approach helps you focus remediation on the exact routes and handlers where XXE risk is present.

Remediating XXE in Adonisjs centers on configuring XML parsers to reject external entities and avoiding dangerous features like external DTDs and parameter entities. When using xml2js, explicitly disable entity resolution by avoiding options that allow external network fetches and by using a safe parser mode. For example, configure the parser to not validate and to not process external entities, and avoid relying on default options that may be permissive.

When using fast-xml-parser, set ignoreEntities to true and ensure validation remains disabled. Here is a hardened example in an Adonisjs controller that processes an XML upload:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { parse } from 'fast-xml-parser'

export default class XmlController {
  public async uploadXml({ request, response }: HttpContextContract) {
    const xml = request.input('xml')
    const options = {
      ignoreEntities: true,
      validation: false,
      allowBooleanAttributes: false,
      allowEmptyAttributes: false,
      parseTagValue: true,
      trimValues: true,
    }
    let parsed
    try {
      parsed = parse(xml, options)
    } catch (err) {
      return response.badRequest({ error: 'Invalid XML' })
    }
    // Process parsed data safely
    return response.ok({ data: parsed })
  }
}

If you rely on xml2js, explicitly configure the parser to avoid external entity resolution by not enabling options that trigger network or filesystem lookups and by using a strict parser mode where feasible:

import { parseStringPromise } from 'xml2js'

const parserOptions = {
  explicitArray: false,
  mergeAttrs: true,
  // Avoid options that enable DTD/entity resolution; use a safe wrapper or validator if available
  trim: true,
}

export async function parseXmlSafely(xml: string) {
  // Note: xml2js does not disable external entities by default in all configurations;
  // ensure you validate or sanitize input and avoid dangerous options.
  return parseStringPromise(xml, parserOptions)
}

For Adonisjs applications that consume external SOAP services, prefer HTTP clients that do not resolve external entities and avoid passing raw XML from untrusted sources into the framework’s view layer. Where possible, validate and sanitize data after parsing, and enforce strict content-type checks to ensure only expected XML formats are accepted. These steps reduce the attack surface and align with secure coding practices for XML processing in Node.js environments.