Description

The xmldom package has been found to contain a security vulnerability, as reported by CVE-2022-39353. The vulnerability occurs when parsing XML that is not well-formed due to multiple top-level elements. xmldom adds all root nodes to the childNodes collection of the Document without throwing an error or reporting it, which violates the assumption that there is only a single root node in the tree. Since xmldom-instawork is a fork of xmldom, it is also potentially impacted by the same vulnerability. This raises a potential issue for dependents.

Recommendations

The recommended solution is to update to one of the following versions:

• @xmldom/xmldom@~0.7.7
• @xmldom/xmldom@~0.8.4 (dist-tag latest)
• @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next)

Additional Information

The vulnerability in xmldom has been resolved with the commit c02f786216bed70825f9a351c65e61500f51e931. To address the security vulnerability in xmldom-instawork, the changes made in @xmldom/xmldom could be ported over.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39353
GHSA-crh6-fp67-6883
jindw/xmldom#150

Some exploration of changes that may not be backwards compatible, we will need to investigate more:

xmldom changes:

https://github.com/xmldom/xmldom/releases/tag/0.5.0

• Improve error reporting; throw on duplicate attribute
• BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them.
• It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

https://github.com/xmldom/xmldom/releases/tag/0.8.0

• Normalize all line endings according to XML specs 1.0 and 1.1
• BREAKING CHANGE: Certain combination of line break characters are normalized to a single \n before parsing takes place and will no longer be preserved.
• #303 / #307
• #49, #97, #324 / #314
• XMLSerializer: Preserve whitespace character references #284 / #310
• BREAKING CHANGE: If you relied on the not spec compliant preservation of literal \t, \n or \r in attribute values.
• To preserve those you will have to create XML that instead contains the correct numerical (or hexadecimal) equivalent (e.g. , , ).
• Drop deprecated exports DOMImplementation and XMLSerializer from lib/dom-parser.js #53 / #309
• BREAKING CHANGE: Use the one provided by the main package export.
• dom: Remove all links as part of removeChild #343 / #355

https://github.com/xmldom/xmldom/releases/tag/0.9.0-beta.1

• BREAKING CHANGE: Correct the return type of DOMParser.parseFromString to Document | undefined. In case of parsing errors it was always possible that "the returned Document" has not been created. In case you are using Typescript you now need to handle those cases.
• BREAKING CHANGE: The instance property DOMParser.options is no longer available, instead use the individual readonly property per option (assign, domHandler, errorHandler, normalizeLineEndings, locator, xmlns). Those also provides the default value if the option was not passed. The 'locator' option is now just a boolean (default remains true).

https://github.com/xmldom/xmldom/releases/tag/0.7.7

• Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353
• In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly.
• In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
• This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
• Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity

We could potentially upgrade to 0.7.7 as recommended, to avoid expanding the test surface area in the 0.8 an 0.9 releases.