Document XML parser usage against security false positives

Prior to this commit, our XML parser usage would be already haredened
against XXE (XML External Entities) attacks. Still, we recently received
several invalid security reports claiming that our setup should be
hardened.

This commit documents a few usages of XML parsers to add some more
context and hopefully prevent future invalid reports.

Closes gh-33713
This commit is contained in:
Brian Clozel
2024-10-15 18:59:02 +02:00
parent 166714c8f5
commit f204f4962d
6 changed files with 20 additions and 2 deletions

View File

@@ -164,6 +164,8 @@ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessa
if (source instanceof StreamSource streamSource) {
InputSource inputSource = new InputSource(streamSource.getInputStream());
try {
// By default, Spring will prevent the processing of external entities.
// This is a mitigation against XXE attacks.
SAXParserFactory saxParserFactory = this.sourceParserFactory;
if (saxParserFactory == null) {
saxParserFactory = SAXParserFactory.newInstance();

View File

@@ -177,6 +177,8 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
private DOMSource readDOMSource(InputStream body, HttpInputMessage inputMessage) throws IOException {
try {
// By default, Spring will prevent the processing of external entities.
// This is a mitigation against XXE attacks.
DocumentBuilderFactory builderFactory = this.documentBuilderFactory;
if (builderFactory == null) {
builderFactory = DocumentBuilderFactory.newInstance();