Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 26.1.0.Final, 27.0.0.Alpha1
Affects Version/s: 26.0.1.Final
Component/s: JDR
Labels:
None

Git Pull Request:
https://github.com/wildfly/wildfly/pull/15373, https://github.com/wildfly/wildfly/pull/15390

Description

Currently some codepoints use a native javax.xml.parsers.DocumentBuilderFactory or javax.xml.stream.XMLInputFactory. Restriction of XML External Entity Reference is lacking.

org/jboss/as/jdr/util/XMLSanitizer

Fix:
Use o.w.c.xml.*Factories

Related to:

https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-3FB69003-1E4A-435C-B519-4B9D07630460

Attachments

Activity

People

Assignee:: Boris Unckel (Inactive)

Reporter:: Boris Unckel (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2022/03/24 12:29 PM

Updated:: 2022/11/03 2:27 AM

Resolved:: 2022/04/05 4:35 PM