Skip to content

fix(QTDI-1938): Resolving XML external entity in user-controlled data #1106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 17, 2025
Merged

fix(QTDI-1938): Resolving XML external entity in user-controlled data #1106

merged 4 commits into from
Oct 17, 2025

Conversation

yyin-talend
Copy link
Collaborator

Potential fix for https://github.com/Talend/component-runtime/security/code-scanning/30

To fix this XXE vulnerability, ensure that the JAXB Unmarshaller is configured to disallow external entity expansion and DTD parsing. The standard mitigation is to set a custom XMLInputFactory/SAXParserFactory or to use a javax.xml.stream.XMLStreamReader or javax.xml.parsers.SAXParser with features that disable DTDs and external entities, then pass the result to the JAXB Unmarshaller. The most portable and concise approach (recommended by OWASP and Oracle) is to use a hardened SAXSource, i.e., create a SAXParserFactory, disable external entities, and create an XMLReader for the parsing.

The concrete change is:
Replace the call to

.unmarshal(new StreamSource(new ByteArrayInputStream(value)), key)

with

.unmarshal(new SAXSource(xmlReader, new InputSource(new ByteArrayInputStream(value))), key)

where xmlReader is an XMLReader from a SAXParserFactory with DTD and external entity handling disabled. This requires importing org.xml.sax.InputSource, javax.xml.parsers.SAXParserFactory, and org.xml.sax.XMLReader. Only modify JAXBDecoder.java as shown; do not alter how JAXBContext is managed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@yyin-talend @github-advanced-security
Potential fix for code scanning alert no. 30: Resolving XML external …
e493944 
…entity in user-controlled data

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@yyin-talend yyin-talend changed the title Potential fix for code scanning alert no. 30: Resolving XML external entity in user-controlled data fix(QTDI-1938): Resolving XML external entity in user-controlled data Sep 24, 2025
@sonar-eks sonar-eks
Copy link

sonar-eks bot commented Sep 28, 2025

Passed Quality Gate passed

Issues

Measures

Project ID: org.talend.sdk.component:component-runtime

View in SonarQube

@yyin-talend yyin-talend marked this pull request as ready for review September 29, 2025 03:00
undx
undx approved these changes Oct 10, 2025
View reviewed changes
Copy link
Member

@undx undx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@yyin-talend yyin-talend merged commit a95a906 into master Oct 17, 2025
8 checks passed
@yyin-talend yyin-talend deleted the yyin/QTDI-1938_ResolvingXMLsecurity branch October 17, 2025 08:08
yyin-talend added a commit that referenced this pull request Oct 20, 2025
@yyin-talend
fix(QTDI-1938): Resolving XML external entity in user-controlled data (
7182636 
…#1106)

* Potential fix for code scanning alert no. 30: Resolving XML external entity in user-controlled data

(cherry picked from commit a95a906)
@yyin-talend yyin-talend mentioned this pull request Oct 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@undx undx undx approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yyin-talend @undx