Xml External Entities in Adonisjs with Firestore

Xml External Entity (XXE) injection occurs when an application processes XML input and allows an external entity to be defined or referenced. In Adonisjs, XML payloads can reach Firestore client libraries indirectly—for example, when an XML document is parsed and values are used to construct Firestore writes, queries, or metadata. If user-controlled XML is deserialized without restriction, an attacker can define external entities that read local files, cause SSRF, or leak internal network information. These effects become actionable when the parsed data is later passed to Firestore operations such as docRef.set() or collection queries, exposing internal service metadata or authentication details that affect Firestore access patterns.

Consider an Adonisjs endpoint that imports configuration from an XML upload and maps values to a Firestore document:

import { XmlParser } from 'fast-xml-parser';
import { Firestore } from '@google-cloud/firestore';

const firestore = new Firestore();

export async function importConfig(ctx) {
  const xml = ctx.request.body(); // user-controlled
  const parser = new XmlParser();
  const jsonObj = parser.parse(xml);
  // If XML defines an external entity, file reads or SSRF can occur during parse
  await firestore.doc('config/app').set(jsonObj);
  ctx.response.ok({ status: 'ok' });
}

If the XML parser is configured to resolve external entities (e.g., via DTDs), an attacker can supply a payload that reads files such as /etc/passwd or triggers internal HTTP requests. The Firestore interaction may inadvertently expose sensitive project metadata, IAM service account scopes, or bucket names through error messages or through Firestore security rules evaluations that log or reflect the injected data. An attacker can also leverage XXE to probe internal endpoints reachable from the Adonisjs server, using Firestore operations as a pivot to infer network topology or to exfiltrate data via side channels.

The risk is amplified when Adonisjs uses XML parsing to build Firestore queries dynamically. For example, converting XML node values into field filters without strict schema validation can allow entity expansion that consumes excessive resources or interacts with unexpected Firestore indexes. Even when Firestore itself does not parse XML, the surrounding Adonisjs runtime and its dependencies may process external entities during request handling, making the application a conduit for data exposure or SSRF that manifests through Firestore integrations.

Key indicators of risk in this combination include permissive XML parser settings (e.g., processExternalEntities enabled), direct mapping of XML content into Firestore document fields, and error handling that reveals internal paths or service URLs. Attack patterns such as `file://` exploits, SSRF via external HTTP entities, and data exfiltration through Firestore read operations are feasible when input validation and parser hardening are absent.

Remediation focuses on preventing XML external entity resolution and ensuring that any data destined for Firestore is strictly validated and sanitized. Do not rely on Firestore security rules alone to sanitize input; treat all external data as untrusted before it reaches Firestore operations.

1) Disable external entity resolution in XML parsing. Use a secure parser configuration or switch to a non-XML format (e.g., JSON) where possible. If XML is required, enforce a strict schema and disable DTD processing.

import { XmlParser } from 'fast-xml-parser';
import { Firestore } from '@google-cloud/firestore';

const firestore = new Firestore();

export async function importConfigSafe(ctx) {
  const xml = ctx.request.body();
  const options = {
    ignoreAttributes: true,
    allowBooleanAttributes: false,
    parseNodeValue: true,
    attributeNamePrefix: '',
    // Ensure no external entity resolution
    processExternalEntities: false,
    validateAgainstSchema: false,
    isVal: (str) => typeof str === 'string'
  };
  const parser = new XmlParser(options);
  const jsonObj = parser.parse(xml);
  await firestore.doc('config/app').set(jsonObj);
  ctx.response.ok({ status: 'ok' });
}

2) Validate and sanitize all inputs before using them in Firestore writes or queries. Use an OpenAPI or JSON schema to enforce allowed structures and reject unexpected nodes or attributes that could carry malicious payloads.

import { schemaValidator } from '@ioc:Adonisjs/Validator';
import { Firestore } from '@google-cloud/firestore';

const firestore = new Firestore();

export async function createDocumentSafe(ctx) {
  const payload = ctx.request.body();
  const validated = schemaValidator.validate('FirestoreDoc', payload); // define schema separately
  if (validated.fails()) {
    return ctx.response.badRequest({ errors: validated.errors.flatten() });
  }
  await firestore.collection('items').add({
    name: validated.data.name,
    settings: validated.data.settings,
    createdAt: Date.now()
  });
  ctx.response.created({ id: 'assigned-by-firestore' });
}

3) Apply principle of least privilege to the Firestore service account used by Adonisjs. Restrict IAM roles to only the necessary Firestore operations and paths, and avoid broad owner or editor roles that could be abused if XXE leads to privilege escalation attempts.

4) Monitor Firestore logs and Adonisjs request logs for anomalous patterns, such as unexpected document paths or high-frequency writes triggered by parsed XML values. Ensure error messages do not leak filesystem paths or internal URLs that could aid an attacker in crafting follow-on XXE or SSRF attacks.

5) Prefer JSON over XML for API interactions when feasible. If XML must be supported, integrate a dedicated sanitization layer that strips or rejects DTDs and external entity declarations before any Firestore interaction. Combine this with runtime security monitoring to detect and block injection attempts targeting Firestore resources.