@oculum/scanner 1.0.11 → 1.0.13

package/src/detect/structural/ssrf-detection.ts

@@ -0,0 +1,300 @@
+/**
+ * Layer 2: SSRF (Server-Side Request Forgery) Detector
+ * Detects user input flowing to server-side HTTP request sinks
+ *
+ * OWASP A01:2021 - Broken Access Control / A10:2021 - SSRF
+ * CWE-918: Server-Side Request Forgery
+ */
+
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import {
+  isComment,
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.40
+
+interface SSRFOptions {
+  parsed?: ParsedFile
+}
+
+/** User input source patterns */
+const USER_INPUT_PATTERN = /(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/
+
+/** Check if file is client-side (SSRF is server-only) */
+function isClientSideFile(content: string, filePath: string): boolean {
+  if (/['"]use client['"]/.test(content)) return true
+  // .tsx/.jsx in components dir without server indicators
+  if (/\/components\//.test(filePath) && !content.includes('express()') && !/['"]use server['"]/.test(content)) {
+    return true
+  }
+  return false
+}
+
+/**
+ * Check surrounding context for SSRF mitigations
+ */
+function hasSSRFMitigation(lines: string[], lineIndex: number, windowSize: number = 15): boolean {
+  const start = Math.max(0, lineIndex - windowSize)
+  const end = Math.min(lines.length, lineIndex + windowSize + 1)
+  const context = lines.slice(start, end).join('\n')
+
+  // Allowlist validation
+  if (/(?:allowed|safe|valid|permitted)(?:Hosts|Domains|Urls|Origins)/i.test(context)) return true
+  if (/allowList|allowlist|whitelist|whiteList/.test(context)) return true
+
+  // URL validation with host/origin check
+  if (/new\s+URL\(/.test(context) && /\.(?:hostname|host|origin)/.test(context)) return true
+
+  // IP range checking
+  if (/isPrivateIP|isPrivate|isInternal|isLocalhost/i.test(context)) return true
+  if (/(?:127\.0\.0\.1|10\.\d|192\.168\.|169\.254\.)/.test(context) && /(?:block|reject|deny|forbidden)/i.test(context)) return true
+
+  // Environment variable source
+  if (/process\.env\./i.test(context)) {
+    // Check if the URL comes from env var, not just any env var in context
+    const envLineCount = lines.slice(start, end).filter(l => /process\.env\./.test(l)).length
+    const userInputCount = lines.slice(start, end).filter(l => USER_INPUT_PATTERN.test(l)).length
+    if (envLineCount > 0 && userInputCount <= 1) return false // Don't suppress just because env vars exist
+  }
+
+  return false
+}
+
+/**
+ * Detect SSRF patterns in server-side code
+ */
+export function detectSSRFPatterns(
+  content: string,
+  filePath: string,
+  options?: SSRFOptions
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  if (isTestOrMockFile(filePath)) return vulnerabilities
+  if (isClientSideFile(content, filePath)) return vulnerabilities
+
+  const lines = options?.parsed?.lines ?? content.split('\n')
+
+  // ========== Pass 1: Direct taint — user input in HTTP sinks ==========
+  const DIRECT_SSRF_PATTERNS = [
+    // fetch(req.body.url), fetch(req.query.endpoint)
+    /(?:fetch|got|undici\.request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/,
+    // axios.get(req.body.url)
+    /axios\.(?:get|post|put|delete|patch|head|options|request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+    // http.get(req.body.url), https.get(...)
+    /https?\.(?:get|request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+    // got(req.body.url)
+    /got\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+    // Python: requests.get(request.args.get('url'))
+    /requests\.(?:get|post|put|delete|patch|head|options)\s*\(\s*(?:request\.(?:args|form|json|data)\.get|request\.(?:args|form|json|data)\[)/,
+    // Python: urllib.request.urlopen(request.args.get('url'))
+    /urllib\.request\.urlopen\s*\(\s*(?:request\.(?:args|form|json))/,
+  ]
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    for (const pattern of DIRECT_SSRF_PATTERNS) {
+      if (pattern.test(line)) {
+        if (hasSSRFMitigation(lines, i)) continue
+
+        vulnerabilities.push({
+          id: `ssrf-${filePath}-${i + 1}-direct`,
+          filePath,
+          lineNumber: i + 1,
+          lineContent: line.trim(),
+          severity: 'high',
+          category: 'ssrf',
+          title: 'SSRF: User input in HTTP request',
+          description:
+            'User-controlled input flows directly to a server-side HTTP request. An attacker could force the server to make requests to internal services, cloud metadata endpoints (169.254.169.254), or other sensitive resources.',
+          suggestedFix:
+            'Validate the URL against an allowlist of permitted domains. Block requests to private IP ranges and cloud metadata endpoints.',
+          confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+        })
+        break
+      }
+    }
+  }
+
+  // ========== Pass 2: Open redirect ==========
+  const OPEN_REDIRECT_PATTERNS = [
+    // res.redirect(req.query.next)
+    /res\.redirect\s*\(\s*(?:req|request)\.(?:body|query|params)(?:\.\w+|\[)/,
+    // redirect(req.query.returnTo)
+    /(?<!\w)redirect\s*\(\s*(?:req|request)\.(?:body|query|params)(?:\.\w+|\[)/,
+  ]
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    for (const pattern of OPEN_REDIRECT_PATTERNS) {
+      if (pattern.test(line)) {
+        if (hasSSRFMitigation(lines, i)) continue
+
+        vulnerabilities.push({
+          id: `ssrf-${filePath}-${i + 1}-redirect`,
+          filePath,
+          lineNumber: i + 1,
+          lineContent: line.trim(),
+          severity: 'high',
+          category: 'ssrf',
+          title: 'Open redirect: User input in redirect',
+          description:
+            'User-controlled input is used in a server redirect. An attacker could craft a URL that redirects users to a malicious site for phishing.',
+          suggestedFix:
+            'Validate redirect URLs against an allowlist of permitted paths or domains. Use relative paths instead of absolute URLs.',
+          confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+        })
+        break
+      }
+    }
+  }
+
+  // ========== Pass 3: Variable-mediated taint ==========
+  // Track: const url = req.body.url; ... fetch(url)
+  const taintedVars = new Map<string, number>() // varName -> lineIndex
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    // Detect taint sources: const/let/var url = req.body.url
+    const taintMatch = line.match(
+      /(?:const|let|var)\s+(\w+)\s*=\s*(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/
+    )
+    if (taintMatch) {
+      taintedVars.set(taintMatch[1], i)
+      continue
+    }
+
+    // Also detect destructuring: const { url } = req.body
+    const destructMatch = line.match(
+      /(?:const|let|var)\s*\{([^}]+)\}\s*=\s*(?:req|request|ctx\.request)\.(?:body|query|params)/
+    )
+    if (destructMatch) {
+      const vars = destructMatch[1].split(',').map(v => v.trim().split(':')[0].trim())
+      for (const v of vars) {
+        if (v) taintedVars.set(v, i)
+      }
+      continue
+    }
+
+    // Check if tainted variable flows to HTTP sink (within 20 lines)
+    if (taintedVars.size > 0) {
+      const httpSinkPattern = /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got|https?\.(?:get|request)|undici\.request)\s*\(/
+      if (httpSinkPattern.test(line)) {
+        for (const [varName, sourceLineIdx] of taintedVars) {
+          if (i - sourceLineIdx <= 20 && i - sourceLineIdx > 0) {
+            // Check if the variable is used in this sink call
+            const varPattern = new RegExp(`\\b${varName}\\b`)
+            if (varPattern.test(line)) {
+              if (hasSSRFMitigation(lines, i)) continue
+
+              vulnerabilities.push({
+                id: `ssrf-${filePath}-${i + 1}-mediated`,
+                filePath,
+                lineNumber: i + 1,
+                lineContent: line.trim(),
+                severity: 'medium',
+                category: 'ssrf',
+                title: 'SSRF: Variable-mediated user input in HTTP request',
+                description:
+                  `User input assigned to variable '${varName}' (line ${sourceLineIdx + 1}) flows to an HTTP request sink. An attacker could control the request destination.`,
+                suggestedFix:
+                  'Validate the URL against an allowlist before making the request. Block private IP ranges.',
+                confidence: 'medium',
+                baseConfidence: BASE_CONFIDENCE,
+                layer: 2,
+        source: 'structural' as const,
+                requiresAIValidation: true,
+              })
+              break
+            }
+          }
+        }
+      }
+
+      // Check for redirect sinks too
+      const redirectSinkPattern = /(?:res\.redirect|redirect)\s*\(/
+      if (redirectSinkPattern.test(line)) {
+        for (const [varName, sourceLineIdx] of taintedVars) {
+          if (i - sourceLineIdx <= 20 && i - sourceLineIdx > 0) {
+            const varPattern = new RegExp(`\\b${varName}\\b`)
+            if (varPattern.test(line)) {
+              if (hasSSRFMitigation(lines, i)) continue
+
+              vulnerabilities.push({
+                id: `ssrf-${filePath}-${i + 1}-redirect-mediated`,
+                filePath,
+                lineNumber: i + 1,
+                lineContent: line.trim(),
+                severity: 'medium',
+                category: 'ssrf',
+                title: 'Open redirect: Variable-mediated user input',
+                description:
+                  `User input assigned to variable '${varName}' (line ${sourceLineIdx + 1}) flows to a redirect call.`,
+                suggestedFix: 'Validate redirect URL against an allowlist of permitted paths.',
+                confidence: 'medium',
+                baseConfidence: BASE_CONFIDENCE,
+                layer: 2,
+        source: 'structural' as const,
+                requiresAIValidation: true,
+              })
+              break
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // ========== Pass 4: Template literal with user input in URL ==========
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    // fetch(`${req.query.baseUrl}/api`) or fetch(`http://${req.body.host}/path`)
+    const templateSinkPattern = /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got|https?\.(?:get|request))\s*\(\s*`[^`]*\$\{[^}]*(?:req|request|ctx\.request)\.(?:body|query|params)[^}]*\}/
+    if (templateSinkPattern.test(line)) {
+      // Avoid duplicate with direct taint
+      const alreadyFound = vulnerabilities.some(
+        v => v.lineNumber === i + 1 && v.filePath === filePath
+      )
+      if (alreadyFound) continue
+      if (hasSSRFMitigation(lines, i)) continue
+
+      vulnerabilities.push({
+        id: `ssrf-${filePath}-${i + 1}-template`,
+        filePath,
+        lineNumber: i + 1,
+        lineContent: line.trim(),
+        severity: 'high',
+        category: 'ssrf',
+        title: 'SSRF: User input interpolated in HTTP request URL',
+        description:
+          'User-controlled request data is interpolated into an HTTP request URL via template literal. An attacker could manipulate the request destination.',
+        suggestedFix:
+          'Extract and validate the user input before constructing the URL. Use an allowlist of permitted domains.',
+        confidence: 'high',
+        baseConfidence: BASE_CONFIDENCE,
+        layer: 2,
+        source: 'structural' as const,
+      })
+    }
+  }
+
+  return vulnerabilities
+}

package/src/{layer2 → detect/structural}/variables.ts

@@ -3,8 +3,11 @@
  * Identifies variable names associated with sensitive data
  */
 
-import type { Vulnerability, SensitiveVariablePattern } from '../types'
-import { isScannerOrFixtureFile } from '../utils/context-helpers'
+import type { Vulnerability, SensitiveVariablePattern } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import { isScannerOrFixtureFile } from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.20
 
 // Patterns for sensitive variable names
 export const SENSITIVE_VARIABLE_PATTERNS: SensitiveVariablePattern[] = [
@@ -120,14 +123,15 @@ function isTypeDefinition(line: string): boolean {
 
 export function detectSensitiveVariables(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) return vulnerabilities
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
 
   lines.forEach((line, index) => {
     // Skip comments
@@ -159,7 +163,9 @@ export function detectSensitiveVariables(
             description: pattern.description + '. The value appears to be hardcoded rather than loaded from environment.',
             suggestedFix: 'Move this sensitive value to an environment variable or secure secrets manager.',
             confidence: 'medium',
+            baseConfidence: BASE_CONFIDENCE,
             layer: 2,
+        source: 'structural' as const,
           })
         }
         break // Only report once per line

package/src/detect/structural/xxe-detection.ts

@@ -0,0 +1,295 @@
+/**
+ * Layer 2: XXE (XML External Entity) Detector
+ * Detects XML parsing without entity expansion protection
+ *
+ * OWASP A02:2021 - Cryptographic Failures (was A04 in 2017)
+ * CWE-611: Improper Restriction of XML External Entity Reference
+ */
+
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import {
+  isComment,
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.55
+
+interface XXEOptions {
+  parsed?: ParsedFile
+}
+
+interface XXEPattern {
+  /** Regex to detect XML parser usage */
+  pattern: RegExp
+  /** Programming language */
+  lang: 'node' | 'python' | 'java' | 'php'
+  /** Library name for reporting */
+  lib: string
+  /** Regex for safe configuration that suppresses the finding */
+  safe?: RegExp
+  /** Default severity (can be overridden) */
+  severity?: VulnerabilitySeverity
+  /** File extensions this applies to */
+  extensions?: string[]
+}
+
+const XXE_PATTERNS: XXEPattern[] = [
+  // ==================== Node.js ====================
+  {
+    pattern: /xml2js\.parseString|new\s+xml2js\.Parser/,
+    lang: 'node',
+    lib: 'xml2js',
+    safe: /explicitCharkey|xmlMode/,
+    severity: 'medium', // xml2js v0.5+ doesn't expand entities by default
+    extensions: ['.js', '.ts', '.mjs', '.cjs', '.jsx', '.tsx'],
+  },
+  {
+    pattern: /libxmljs\.parseXml/,
+    lang: 'node',
+    lib: 'libxmljs',
+    safe: /noent\s*:\s*false/,
+    severity: 'high',
+    extensions: ['.js', '.ts', '.mjs', '.cjs'],
+  },
+  {
+    pattern: /new\s+DOMParser\(\)\.parseFromString/,
+    lang: 'node',
+    lib: 'DOMParser',
+    severity: 'low', // Browsers block XXE by default
+    extensions: ['.js', '.ts', '.jsx', '.tsx'],
+  },
+  {
+    pattern: /(?:xmldom|@xmldom\/xmldom)/,
+    lang: 'node',
+    lib: 'xmldom',
+    safe: /entityExpansionEnabled\s*:\s*false/,
+    severity: 'medium',
+    extensions: ['.js', '.ts', '.mjs', '.cjs'],
+  },
+  {
+    pattern: /(?:fast-xml-parser|XMLParser)/,
+    lang: 'node',
+    lib: 'fast-xml-parser',
+    safe: /processEntities\s*:\s*false/,
+    severity: 'medium',
+    extensions: ['.js', '.ts', '.mjs', '.cjs'],
+  },
+
+  // ==================== Python ====================
+  {
+    pattern: /xml\.etree\.ElementTree\.parse|ET\.parse|etree\.parse/,
+    lang: 'python',
+    lib: 'xml.etree.ElementTree',
+    safe: /defusedxml/,
+    severity: 'high',
+    extensions: ['.py'],
+  },
+  {
+    pattern: /lxml\.etree\.parse|etree\.fromstring/,
+    lang: 'python',
+    lib: 'lxml.etree',
+    safe: /resolve_entities\s*=\s*False|defusedxml/,
+    severity: 'high',
+    extensions: ['.py'],
+  },
+  {
+    pattern: /xml\.sax\.parse|xml\.dom\.minidom\.parse/,
+    lang: 'python',
+    lib: 'xml.sax/minidom',
+    safe: /defusedxml/,
+    severity: 'high',
+    extensions: ['.py'],
+  },
+  {
+    pattern: /xml\.dom\.pulldom/,
+    lang: 'python',
+    lib: 'xml.dom.pulldom',
+    safe: /defusedxml/,
+    severity: 'high',
+    extensions: ['.py'],
+  },
+
+  // ==================== Java ====================
+  {
+    pattern: /DocumentBuilderFactory\.newInstance/,
+    lang: 'java',
+    lib: 'DocumentBuilderFactory',
+    safe: /disallow-doctype-decl|FEATURE_SECURE_PROCESSING/,
+    severity: 'high',
+    extensions: ['.java'],
+  },
+  {
+    pattern: /SAXParserFactory\.newInstance/,
+    lang: 'java',
+    lib: 'SAXParserFactory',
+    safe: /disallow-doctype-decl|external-general-entities/,
+    severity: 'high',
+    extensions: ['.java'],
+  },
+  {
+    pattern: /XMLInputFactory\.newInstance/,
+    lang: 'java',
+    lib: 'XMLInputFactory',
+    safe: /IS_SUPPORTING_EXTERNAL_ENTITIES|SUPPORT_DTD/,
+    severity: 'high',
+    extensions: ['.java'],
+  },
+  {
+    pattern: /TransformerFactory\.newInstance/,
+    lang: 'java',
+    lib: 'TransformerFactory',
+    safe: /ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_STYLESHEET/,
+    severity: 'high',
+    extensions: ['.java'],
+  },
+
+  // ==================== PHP ====================
+  {
+    pattern: /simplexml_load_string|simplexml_load_file/,
+    lang: 'php',
+    lib: 'simplexml',
+    safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)|LIBXML_NOENT/,
+    severity: 'high',
+    extensions: ['.php'],
+  },
+  {
+    pattern: /DOMDocument.*(?:loadXML|load)\b/,
+    lang: 'php',
+    lib: 'DOMDocument',
+    safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)/,
+    severity: 'high',
+    extensions: ['.php'],
+  },
+  {
+    pattern: /XMLReader.*open/,
+    lang: 'php',
+    lib: 'XMLReader',
+    safe: /setParserProperty.*LOADDTD.*false/,
+    severity: 'high',
+    extensions: ['.php'],
+  },
+]
+
+/**
+ * Check if the file extension matches the expected language
+ */
+function matchesLanguageExtension(filePath: string, extensions?: string[]): boolean {
+  if (!extensions) return true
+  return extensions.some(ext => filePath.endsWith(ext))
+}
+
+/**
+ * Check surrounding context for safe configuration
+ */
+function hasSafeConfig(
+  content: string,
+  lines: string[],
+  lineIndex: number,
+  safePattern: RegExp | undefined,
+  lang: string
+): boolean {
+  if (!safePattern) return false
+
+  // For Python: check entire file for defusedxml import
+  if (lang === 'python' && /defusedxml/.test(safePattern.source)) {
+    if (/import\s+defusedxml|from\s+defusedxml/.test(content)) {
+      return true
+    }
+  }
+
+  // Check surrounding context (±20 lines for Java setFeature, ±10 for others)
+  const windowSize = lang === 'java' ? 20 : 10
+  const start = Math.max(0, lineIndex - windowSize)
+  const end = Math.min(lines.length, lineIndex + windowSize + 1)
+  const context = lines.slice(start, end).join('\n')
+
+  return safePattern.test(context)
+}
+
+/**
+ * Detect XXE patterns in code
+ */
+export function detectXXEPatterns(
+  content: string,
+  filePath: string,
+  options?: XXEOptions
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+
+  const isTestFile = isTestOrMockFile(filePath)
+  const lines = options?.parsed?.lines ?? content.split('\n')
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    for (const xxePattern of XXE_PATTERNS) {
+      // Check language extension match
+      if (!matchesLanguageExtension(filePath, xxePattern.extensions)) continue
+
+      if (!xxePattern.pattern.test(line)) continue
+
+      // Check for safe configuration
+      if (hasSafeConfig(content, lines, i, xxePattern.safe, xxePattern.lang)) continue
+
+      let severity: VulnerabilitySeverity = xxePattern.severity || 'high'
+
+      // Downgrade for test files
+      if (isTestFile) {
+        severity = 'info'
+      }
+
+      // DOMParser in .tsx client files is inherently safe
+      if (xxePattern.lib === 'DOMParser' && (filePath.endsWith('.tsx') || filePath.endsWith('.jsx'))) {
+        severity = 'info'
+      }
+
+      vulnerabilities.push({
+        id: `xxe-${filePath}-${i + 1}-${xxePattern.lib}`,
+        filePath,
+        lineNumber: i + 1,
+        lineContent: line.trim(),
+        severity,
+        category: 'xxe',
+        title: `XXE risk: ${xxePattern.lib} XML parser without entity protection`,
+        description:
+          `${xxePattern.lib} XML parser is used without disabling external entity processing. An attacker could supply malicious XML to read server files, perform SSRF, or cause denial-of-service.`,
+        suggestedFix: getSuggestedFix(xxePattern.lang, xxePattern.lib),
+        confidence: severity === 'high' ? 'high' : 'medium',
+        baseConfidence: BASE_CONFIDENCE,
+        layer: 2,
+        source: 'structural' as const,
+        requiresAIValidation: severity !== 'high',
+      })
+
+      break // One finding per line
+    }
+  }
+
+  return vulnerabilities
+}
+
+function getSuggestedFix(lang: string, lib: string): string {
+  switch (lang) {
+    case 'python':
+      return 'Use defusedxml instead of the standard xml library: pip install defusedxml && from defusedxml.ElementTree import parse'
+    case 'java':
+      return 'Disable external entities: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)'
+    case 'php':
+      return 'Disable entity loading: libxml_disable_entity_loader(true) before parsing XML'
+    case 'node':
+      if (lib === 'fast-xml-parser') {
+        return 'Disable entity processing: new XMLParser({ processEntities: false })'
+      }
+      if (lib === 'xml2js') {
+        return 'Consider upgrading to xml2js v0.5+ which has safer defaults, or use fast-xml-parser with processEntities: false'
+      }
+      return 'Disable external entity processing in the XML parser configuration'
+    default:
+      return 'Disable external entity processing in the XML parser configuration'
+  }
+}