Improve disabling access to external entities in XML parsing for TransformerFactory

Issue date: 10-05-2021
Affects versions: 14.5

Security Issue ID

SECURITY-190

Affected Product Version(s)

14.5.1 and previous releases.

Severity

low

Description

Avoid FEATURE_SECURE_PROCESSING feature to protect from XXE attacks because depending on the implementation:

it has no effect to protect the parser from XXE attacks but helps guard against excessive memory consumption from XML processing.
or it's just an obscur shortcut (it could set ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to "" but without guarantee).

All applicable code fragments have been updated to the following compliant code:

DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant

Instructions

Customers using the 14.x major versions are recommended to upgrade to the latest version.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Improve disabling access to external entities in XML parsing for TransformerFactory