Document XML parser usage against security false positives
Prior to this commit, our XML parser usage would be already haredened against XXE (XML External Entities) attacks. Still, we recently received several invalid security reports claiming that our setup should be hardened. This commit documents a few usages of XML parsers to add some more context and hopefully prevent future invalid reports. Closes gh-33713
This commit is contained in:
@@ -164,6 +164,8 @@ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessa
|
||||
if (source instanceof StreamSource streamSource) {
|
||||
InputSource inputSource = new InputSource(streamSource.getInputStream());
|
||||
try {
|
||||
// By default, Spring will prevent the processing of external entities.
|
||||
// This is a mitigation against XXE attacks.
|
||||
SAXParserFactory saxParserFactory = this.sourceParserFactory;
|
||||
if (saxParserFactory == null) {
|
||||
saxParserFactory = SAXParserFactory.newInstance();
|
||||
|
||||
@@ -177,6 +177,8 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
|
||||
|
||||
private DOMSource readDOMSource(InputStream body, HttpInputMessage inputMessage) throws IOException {
|
||||
try {
|
||||
// By default, Spring will prevent the processing of external entities.
|
||||
// This is a mitigation against XXE attacks.
|
||||
DocumentBuilderFactory builderFactory = this.documentBuilderFactory;
|
||||
if (builderFactory == null) {
|
||||
builderFactory = DocumentBuilderFactory.newInstance();
|
||||
|
||||
Reference in New Issue
Block a user