Segmentation fault

[samskeller]

Hi there,

I'm using libxml-to-js in a node app and finding that I can consistently crash the XML parser -- though it doesn't look like the crash is coming from libxmljs because I can use that package with this XML and it doesn't cause a segmentation fault (though it doesn't parse at all).

Here's what I'm running in a node prompt:

> var parser = require('libxml-to-js');
> var xml = `<?xml version="1.0" encoding="ISO-8859-1"?>  <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe "DEMOTEXT" >]> <firstTag> <secondTag>&xxe;</secondTag></firstTag>`;
> parser(xml, function (error, result) {
... if (error) {
..... console.error(error);
..... } else {
..... console.log(result);
..... }
... });
Segmentation fault

This consistently results in a Segmentation fault.

However, if I use the libxmljs library directly, it just doesn't result in a parsed object, though no segmentation fault:

> var libxmljs = require("libxmljs");
> var xml = `<?xml version="1.0" encoding="ISO-8859-1"?>  <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe "DEMOTEXT" >]> <firstTag> <secondTag>&xxe;</secondTag></firstTag>`;
> var xmlDoc = libxmljs.parseXml(xml);
> xmlDoc
Document { errors: [] }

I'm using 0.3.12 and have tested it on 0.3.11 as well and am using node 8.8.1 locally as well as node 8.9.3 on my application server where it crashes as well. Am I doing something wrong here? Or is this a bug in libxml-to-js?

Thanks!

[SaltwaterC]

Hi Sam,

Unfortunately this is long standing issues in libxmljs which I have reported long time ago as libxmljs/libxmljs#226.

Cheers,
Ștefan

[SaltwaterC]

BTW, your libxmljs code doesn't trigger the segmentation fault because internally libxml-to-js uses parseXmlString rather than parseXml.

[samskeller]

@SaltwaterC I'm a little confused -- how come I'm not getting a segmentation fault when using libxmljs directly, then?

[samskeller]

@SaltwaterC following my example above with parseXmlString instead of parseXml still doesn't produce a segfault for me?

[SaltwaterC]

I was just replying to your question :-)

[samskeller]

Ah looks like we were writing messages at the same time :) let me know about my question about using parseXmlString when you have a minute! Thanks

[SaltwaterC]

Had to switch to a keyboard as typing this answer on my phone isn't very easy. The issue doesn't happen when parseXmlString is invoked, but when the document is actually consumed. The crash is triggered somewhere down in the recursion. My comment on the upstream issue with the minimal code required to trigger the segfault shows how to reproduce it without libxml-to-js.

Basically:

var libxmljs = require('libxmljs');
var xml = `<?xml version="1.0" encoding="ISO-8859-1"?>  <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe "DEMOTEXT" >]> <firstTag> <secondTag>&xxe;</secondTag></firstTag>`;
var xmlDoc = libxmljs.parseXmlString(xml);

var calls = 0;

var libxml2js = function (obj, recurse) {
    calls++;
    console.log('call to libxml2js #%d', calls);

    var i, chlen;

    if ( ! recurse) { // dealing with the root element
        obj = obj.root();
    }

    var jsobj = {}, children = obj.childNodes();
    var attributes = obj.attrs(); // this is the problematic call on the *fifth* run

    for (i = 0, chlen = children.length; i < chlen; i++) {
        console.log('iteration #%d', i);
        libxml2js(children[i], true);
    }

    if ( ! recurse) {
        return jsobj;
    }

    return {
        jsobj: jsobj
    };
};

libxml2js(xmlDoc);

Which produces:

call to libxml2js #1
iteration #0
call to libxml2js #2
iteration #1
call to libxml2js #3
iteration #0
call to libxml2js #4
iteration #0
call to libxml2js #5
Assertion failed: (attr->type == XML_ATTRIBUTE_NODE), function New, file ../src/xml_attribute.cc, line 35.
[1]    17568 abort      node

node -v
v9.3.0

Template literals make inlining the XML payload so much easier these days. Wished I had that when I've reported the issue to upstream.

[samskeller]

Gotcha -- thanks for the explanation @SaltwaterC! Bummer that they haven't fixed this yet 😞 -- I'll add onto that thread to mention my experience