Improve disabling access to external entities in XML parsing for TransformerFactory

Issue date: 10-05-2021
Affects versions: 14.5

Security Issue ID

SECURITY-190

Affected Product Version(s)

14.5.1 and previous releases.

Severity

low

Description

Avoid FEATURE_SECURE_PROCESSING feature to protect from XXE attacks because depending on the implementation:

it has no effect to protect the parser from XXE attacks but helps guard against excessive memory consumption from XML processing.
or it's just an obscur shortcut (it could set ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to "" but without guarantee).

All applicable code fragments have been updated to the following compliant code:

DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant

Instructions

Customers using the 14.x major versions are recommended to upgrade to the latest version.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Improve disabling access to external entities in XML parsing for TransformerFactory