fix(security): harden XMLUtils against XXE (PR1/9)#36354
Conversation
…ivate-issues#650) Disable DOCTYPE declarations and external entity/DTD resolution on the shared DocumentBuilderFactory used by XMLUtils.isValidXML(), closing a CWE-611 XXE exposure when untrusted XML is parsed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
❌ Linked Issue Needs Team LabelThis PR is linked to issue #650, but that issue has no How to fix this:Apply a This comment was automatically generated by the issue linking workflow |
|
Claude finished @mbiuki's task in 55s —— View job Rollback Safety Analysis — Complete
Result: ✅ Safe To RollbackThe single changed file is Checked every category in the rollback-unsafe reference:
Rolling back to N-1 simply reverts to the un-hardened |
🤖 dotBot Review (Bedrock)Reviewed 1 file(s); 2 candidate(s) → 0 confirmed, 0 uncertain (unverified, kept for review). ✅ No issues found after verification. us.deepseek.r1-v1:0 · Run: #28386462407 · tokens: in: 7157 · out: 2015 · total: 9172 · calls: 4 · est. ~$0.021 |
Security fix — PR 1 of 9 (tracking: dotCMS/private-issues#650)
Class: XXE (CWE-611) · Severity: High · Routing: Team : Maintenance
Problem
com.dotmarketing.util.XMLUtilsused a sharedDocumentBuilderFactory.newInstance()with no hardening, then parsed arbitrary XML inisValidXML(). Untrusted XML could exploit external entities for local file disclosure / SSRF.Fix
newSecureDocumentBuilderFactory():disallow-doctype-decl = true(primary defense)setXIncludeAware(false),setExpandEntityReferences(false)Verification
./mvnw compile -pl :dotcms-core -DskipTests✅