OPC-1507 | Genesys XXE Vulnerability#46
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the shared XML parsing utility (XMLUtilities.getDocumentBuilder()) to mitigate an XXE (CWE-611) vulnerability path (notably affecting Genesys attached-data parsing) by configuring the underlying DocumentBuilderFactory to reject/disable external entity expansion and external DTD loading.
Changes:
- Configures
DocumentBuilderFactoryfeatures to disallowDOCTYPEdeclarations and disable external general/parameter entities. - Disables XInclude and entity-reference expansion on the created DOM builder factory.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Harden the parser against XML External Entity (XXE) attacks | ||
| // (CWE-611). This utility is shared across the framework, so any caller | ||
| // that parses untrusted XML (e.g. Genesys attached data) inherits a | ||
| // safe-by-default parser. See the OWASP XXE Prevention Cheat Sheet. | ||
| documentBuilderFactory.setFeature( | ||
| "http://apache.org/xml/features/disallow-doctype-decl", true); | ||
| documentBuilderFactory.setFeature( | ||
| "http://xml.org/sax/features/external-general-entities", false); | ||
| documentBuilderFactory.setFeature( | ||
| "http://xml.org/sax/features/external-parameter-entities", false); | ||
| documentBuilderFactory.setFeature( | ||
| "http://apache.org/xml/features/nonvalidating/load-external-dtd", | ||
| false); | ||
| documentBuilderFactory.setXIncludeAware(false); | ||
| documentBuilderFactory.setExpandEntityReferences(false); |
Claude says...Verdict: Directionally correct, but this is a cheat-sheet paste that closes a Semgrep finding without remediating the vulnerability class. One of the six lines is wrong, the hardening reaches exactly one low-traffic call path, and the more exposed runtime parsers are left open. Request changes. Scope: 1.
|
Card(s)
Related Pull Requests
Changes Made
Test Procedure