Skip to content

fix(security): harden XMLUtils against XXE (PR1/9)#36354

Draft
mbiuki wants to merge 1 commit into
mainfrom
issue-650-fix-xxe-xmlutils
Draft

fix(security): harden XMLUtils against XXE (PR1/9)#36354
mbiuki wants to merge 1 commit into
mainfrom
issue-650-fix-xxe-xmlutils

Conversation

@mbiuki

@mbiuki mbiuki commented Jun 29, 2026

Copy link
Copy Markdown
Member

Security fix — PR 1 of 9 (tracking: dotCMS/private-issues#650)

Class: XXE (CWE-611) · Severity: High · Routing: Team : Maintenance

Problem

com.dotmarketing.util.XMLUtils used a shared DocumentBuilderFactory.newInstance() with no hardening, then parsed arbitrary XML in isValidXML(). Untrusted XML could exploit external entities for local file disclosure / SSRF.

Fix

  • Build the factory via newSecureDocumentBuilderFactory():
    • disallow-doctype-decl = true (primary defense)
    • external general/parameter entities off, external DTD load off
    • setXIncludeAware(false), setExpandEntityReferences(false)

Verification

  • ./mvnw compile -pl :dotcms-core -DskipTests

⚠️ Draft. Discloses an unpatched vulnerability publicly per maintainer instruction — coordinate with the release/advisory process before merge.

…ivate-issues#650)

Disable DOCTYPE declarations and external entity/DTD resolution on the
shared DocumentBuilderFactory used by XMLUtils.isValidXML(), closing a
CWE-611 XXE exposure when untrusted XML is parsed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

❌ Linked Issue Needs Team Label

This PR is linked to issue #650, but that issue has no Team : * label. Every linked issue must be owned by a team for tracking and triage.

How to fix this:

Apply a Team : * label to the linked issue (e.g., Team : Scout, Team : Platform, Team : Falcon, Team : Maintenance). Then push a new commit or edit the PR description to re-run this check.


This comment was automatically generated by the issue linking workflow

@github-actions github-actions Bot added the Area : Backend PR changes Java/Maven backend code label Jun 29, 2026
@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Claude finished @mbiuki's task in 55s —— View job


Rollback Safety Analysis — Complete

  • Read rollback-unsafe categories reference
  • Get full PR diff
  • Analyze diff against all unsafe categories
  • Apply appropriate label

Result: ✅ Safe To Rollback

The single changed file is dotCMS/src/main/java/com/dotmarketing/util/XMLUtils.java. The diff introduces a newSecureDocumentBuilderFactory() helper method and swaps the static DocumentBuilderFactory.newInstance() for the hardened version (+24/-1 lines). This is a pure Java behavior change — no database migrations, no Elasticsearch mapping changes, no data model modifications, no API contract changes.

Checked every category in the rollback-unsafe reference:

Category Match?
C-1 Structural Data Model Change ❌ No DB changes
C-2 Elasticsearch Mapping Change ❌ No ES changes
C-3 Content JSON Model Version Bump ❌ No model version change
C-4 DROP TABLE / DROP Column ❌ No DDL
H-1 One-Way Data Migration ❌ No data migration
H-2 RENAME TABLE / COLUMN ❌ No renames
H-3 PK Restructuring ❌ No PK changes
H-4 New Content Type Field Type ❌ No new field types
H-5 Binary Storage Provider Change ❌ No storage changes
H-6 DROP PROCEDURE / FUNCTION ❌ No stored procedures
H-7 NOT NULL Column Without Default ❌ No DDL
H-8 VTL Viewtool Contract Change ❌ No viewtool changes
M-1 Non-Broadening Column Type Change ❌ No DDL
M-2 Push Publishing Bundle Format ❌ No bundle changes
M-3 REST / GraphQL API Contract Change ❌ No REST/API changes
M-4 OSGi Plugin API Breakage ❌ No public interface changes

Rolling back to N-1 simply reverts to the un-hardened DocumentBuilderFactory — the application starts and behaves identically to the pre-patch state. The label AI: Safe To Rollback has been applied.

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

🤖 dotBot Review (Bedrock)

Reviewed 1 file(s); 2 candidate(s) → 0 confirmed, 0 uncertain (unverified, kept for review).

✅ No issues found after verification.


us.deepseek.r1-v1:0 · Run: #28386462407 · tokens: in: 7157 · out: 2015 · total: 9172 · calls: 4 · est. ~$0.021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AI: Safe To Rollback Area : Backend PR changes Java/Maven backend code

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

1 participant