From d830bc219f37dcd536b00e35dfef36c728bb875b Mon Sep 17 00:00:00 2001 From: James Spencer Date: Thu, 16 Jul 2026 08:48:36 -0400 Subject: [PATCH] disabling XXE vulnerable parse features --- .../eclipse/vtp/framework/util/XMLUtilities.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/com.vht.openvxml.framework/com.vht.openvxml.framework.plugins/org.eclipse.vtp.framework.util/src/main/java/org/eclipse/vtp/framework/util/XMLUtilities.java b/com.vht.openvxml.framework/com.vht.openvxml.framework.plugins/org.eclipse.vtp.framework.util/src/main/java/org/eclipse/vtp/framework/util/XMLUtilities.java index 680622a2..e5fce487 100644 --- a/com.vht.openvxml.framework/com.vht.openvxml.framework.plugins/org.eclipse.vtp.framework.util/src/main/java/org/eclipse/vtp/framework/util/XMLUtilities.java +++ b/com.vht.openvxml.framework/com.vht.openvxml.framework.plugins/org.eclipse.vtp.framework.util/src/main/java/org/eclipse/vtp/framework/util/XMLUtilities.java @@ -486,6 +486,21 @@ public static DocumentBuilder getDocumentBuilder() throws ParserConfigurationException { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory .newInstance(); + // Harden the parser against XML External Entity (XXE) attacks + // (CWE-611). This utility is shared across the framework, so any caller + // that parses untrusted XML (e.g. Genesys attached data) inherits a + // safe-by-default parser. See the OWASP XXE Prevention Cheat Sheet. + documentBuilderFactory.setFeature( + "http://apache.org/xml/features/disallow-doctype-decl", true); + documentBuilderFactory.setFeature( + "http://xml.org/sax/features/external-general-entities", false); + documentBuilderFactory.setFeature( + "http://xml.org/sax/features/external-parameter-entities", false); + documentBuilderFactory.setFeature( + "http://apache.org/xml/features/nonvalidating/load-external-dtd", + false); + documentBuilderFactory.setXIncludeAware(false); + documentBuilderFactory.setExpandEntityReferences(false); return documentBuilderFactory.newDocumentBuilder(); }