Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Patching
Labels:
- Security
- WeaknessTracking

Description

We have some code in the patching module that doesn't handle https://cwe.mitre.org/data/definitions/611.html properly.

Per https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html#GUID-5C5B2843-3964-4DE3-847A-5C4863A75F17:

Even in a trusted environment with trusted sources, it's recommended that you use both external access restrictions and resolvers to minimize dependencies on external sources.

The 'external access restrictions' bit is handled by not calling XMLInputFactory.createXMLStreamReader without first calling XMLInput.setProperty(IS_SUPPORTING_EXTERNAL_ENTITIES, false).

The 'resolvers' bit is handled by setting an XMLResolver that always returns "" from the resolveEntity method.

I believe this is all about PatchXml and PatchBundleXml.

I don't know if this code is actually used anymore, but even if it's not it's good to fix it to stop scanner detecting a problem and flagging it up.

Attachments

Activity

People

Assignee:: Brian Stansberry

Reporter:: Brian Stansberry

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024/03/12 11:10 PM

Updated:: 2024/04/04 2:33 PM