Recommended mitigation:
Replace this dangerous code:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.isIgnoringElementContentWhitespace();
DocumentBuilder builder = factory.newDocumentBuilder();With this safer code:
DocumentBuilder builder = DocumentBuilders.createSaferDocumentBuilder(factory -> {
factory.isIgnoringElementContentWhitespace()
});Add this utility interface somewhere:
// BASED ON SOURCE: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
public interface DocumentBuilders
{
interface ParserConfigurer
{
void configureParser(DocumentBuilderFactory factory) throws ParserConfigurationException;
}
static DocumentBuilder createSaferDocumentBuilder(ParserConfigurer parserConfigurer) throws ParserConfigurationException
{
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
parserConfigurer.configureParser(factory);
return factory.newDocumentBuilder();
}
}
@carlosvillasanchez what have you checked to determine that so far? I haven't checked in a while and I don't use Java in my current job. It's unlikely to have changed much since processing untrusted XML in a fully standards-compliant manner is inherently unsafe. Most of these mitigations are technically not compliant, but that rarely matters in practice. Check the referenced guide to see if this has drifted.