Skip BOM chars from XML documents #9046
Conversation
|
|
josegar74
force-pushed
the
44-xml-bom
branch
from
11c1538 to
2cc905a
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| SAXBuilder builder = getSAXBuilderWithPathXMLResolver(false, null); //new SAXBuilder(); | ||
| builder.setFeature("http://apache.org/xml/features/validation/schema", false); | ||
| builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); | ||
| Document jdoc = builder.build(f); |
Check failure
Code scanning / CodeQL
Resolving XML external entity in user-controlled data Critical
There was a problem hiding this comment.
@josegar74 hey, it looks like this was not introduced in the PR but already present before. Do you have an idea how to mitigate this? thank you!
There was a problem hiding this comment.
@jahow I see in https://codeql.github.com/codeql-query-help/java/java-xxe/ that the good example uses:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);If it sounds fine, maybe we can create another pull request to test this properly as I am not sure if can cause side effects.
There was a problem hiding this comment.
@jahow I have created #9066 to solve this issue, so we can test the suggested change in https://codeql.github.com/codeql-query-help/java/java-xxe/ properly.
I've done some tests, for example using the CSW harvester and looks fine, but more testing is required.
4 participants
XML documents that begin with a Byte Order Mark (BOM) cause the following exception:
This change request checks whether the XML document begins with a BOM and, if so, removes it so that the XML load works as intended.
Checklist
mainbranch, backports managed with labelREADME.mdfilespom.xmldependency management. Update build documentation with intended library use and library tutorials or documentation