ast/xxe-xml-parser-external-entities
XML parser configured to expand external entities (XXE)
What it detects
An XML parser was constructed (or invoked) with an option that lets the parser fetch external DTDs / expand external entities — `allowDtd: true` (fast-xml-parser), `noent: true` / `dtdload: true` / `external: true` (libxmljs / xml2js). A crafted payload like `<!DOCTYPE x [<!ENTITY a SYSTEM "file:///etc/passwd">]>` then reads server files into the response. Default-deny: leave the flag at its safe default, and only enable when consuming XML from a fully trusted source. For libxmljs, prefer `parseXml(buf, { noent: false, nonet: true })`.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.