Xml External Entities in Hapi with Mongodb

An XML External Entity (XXE) vulnerability occurs when an application processes XML input and allows an attacker to define external entities that are resolved during parsing. In a Hapi.js application that accepts XML payloads and interacts with a MongoDB backend, the combination can expose sensitive data or enable server-side request forgery (SSRF) if user-controlled XML is deserialized and passed to internal services, including MongoDB operations.

Hapi does not parse XML by default; developers typically introduce an XML parser (such as xml2js or xmldom) or a GraphQL/HTTP endpoint that accepts XML. If the application then uses parsed data to build MongoDB queries—such as filtering by user-supplied fields or constructing aggregation pipelines—malicious external entities can disclose local files, trigger network requests to internal endpoints, or bypass expected data boundaries.

For example, an attacker may submit an XML payload with a DOCTYPE that defines an entity pointing to file:///etc/passwd or an internal metadata service (http://169.254.169.254/latest/meta-data/). If the Hapi route processes this XML and uses the resolved value in a MongoDB query (e.g., as a value in a find filter), the SSRF or data exposure may be chained with MongoDB behavior depending on how the driver is used. While the MongoDB driver typically does not process XML directly, a vulnerable Hapi route may construct query objects from XML-derived values, enabling unintended interactions or information disclosure when combined with logged or stored inputs.

middleBrick detects XXE vectors by analyzing OpenAPI/Swagger specs and runtime inputs, identifying places where XML is accepted and external entities could be injected. If your Hapi service exposes endpoints that accept XML and interact with sensitive backends or files, a scan can surface related findings under Input Validation and SSRF categories, along with remediation guidance mapped to frameworks such as OWASP API Top 10.

To reduce risk, avoid parsing XML from untrusted sources, disable external entity resolution in your parser, and validate and sanitize all inputs before using them to build database queries. If you must process XML, use strict DTD and entity limits, and isolate parsing in a sandboxed context. The middleBrick CLI (middlebrick scan <url>) can be used to test unauthenticated attack surfaces and surface these classes of issues alongside other checks such as Rate Limiting and Data Exposure.

Remediation focuses on preventing untrusted data from reaching MongoDB query construction and ensuring XML parsing is hardened. Below are concrete patterns for a Hapi route that safely interacts with MongoDB using the official MongoDB Node.js driver.

1. Do not parse XML from untrusted sources. If you must accept XML, disable external general entities and external DTDs. For example, with xmldom, avoid DOMParser with default settings that resolve external references. Instead, use a secure parser configuration or reject XML entirely.

2. Validate and strictly type incoming data. Use Joi or another schema validator to enforce expected shapes and reject unexpected fields before building queries.

3. Use parameterized queries and avoid concatenating user input into query objects. Build queries using known-safe values, and rely on MongoDB’s query operators explicitly.

4. Apply principle of least privilege to the MongoDB connection used by Hapi, restricting network access and operations to what is necessary.

Example: a Hapi route that safely handles structured JSON (not XML) and queries MongoDB:

// server.js
const Hapi = require('@hapi/hapi');
const { MongoClient } = require('mongodb');
const Joi = require('joi');

const validateUserEmail = Joi.object({
  email: Joi.string().email().required()
});

const run = async () => {
  const client = new MongoClient('mongodb://localhost:27017', {
    serverSelectionTimeoutMS: 5000
  });
  await client.connect();
  const db = client.db('myapp');
  const users = db.collection('users');

  const server = Hapi.server({ port: 3000, host: 'localhost' });

  server.route({
    method: 'POST',
    path: '/api/user',
    options: {
      validate: {
        payload: validateUserEmail
      },
      handler: async (request, h) => {
        const { email } = request.payload;
        // Safe: using parameterized query with known-safe value
        const user = await users.findOne({ email });
        if (!user) {
          return h.response({ error: 'Not found' }).code(404);
        }
        return user;
      }
    }
  });

  await server.start();
  console.log('Server running on %s', server.info.uri);
};

run().catch(console.error);

Example: if you must parse XML securely (e.g., for legacy integrations), disable external entities and avoid using parsed data directly in MongoDB queries. Instead, map to a validated schema:

const { DOMParser } = require('xmldom');
const xpath = require('xpath');

function parseSecureXml(xmlString) {
  // Do not resolve external entities; disable DOCTYPE and external references
  const doc = new DOMParser({ disabledEntities: true, errorHandler: { warning: () => {}, error: () => {}, fatalError: () => {} } }).parseFromString(xmlString);
  const node = xpath.select1('//user/email', doc);
  return node ? node.textContent : null;
}

// Use only after strict schema validation
const rawEmail = parseSecureXml(xmlPayload);
const safeEmail = rawEmail && String(rawEmail).trim();
// Validate before using in any backend call, including MongoDB

For continuous assurance, integrate middleBrick’s checks into your workflow. Use the middlebrick CLI (middlebrick scan <url>) to test endpoints and review findings for Input Validation and SSRF. In CI/CD, the GitHub Action can fail builds if security scores drop below your chosen threshold, and the Pro plan enables continuous monitoring with configurable schedules and alerts.