4Soft-de/harness-model

[Feature Request] Make sure XML External Entities is not a security issue within our libs.

Closed this issue · 1 comments

RainerGanss commented

General Troubleshooting

  • I have checked for similar requests / issues.
  • I have updated to the latest version of the project.

Which project does the feature request target?

None

Feature Request

https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Example for a Use Case

No response

Example Code

No response

RainerGanss commented

According to the OWASP cheat sheet for preventing XEE with JAXB one should configure the XML parser factory like so

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

Digging into our code that is exactly what we are already doing.

// ExtendedUnmarshaller#getXMLReader()
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

I'm closing this issue.