Disable DTD and external entities support in XmlEventDecoder to prevent XXE and XML bomb attack [SPR-15797]

[spring-projects-issues]

Takuya Iwatsuka opened SPR-15797 and commented

An instance of XMLInputFactory in XmlEventDecoder supports DTD and external entities.
Because Jaxb2XMLDecoder uses XMLEventDecoder, this could be exploited to some kind of attack like XXE or XML Bomb.
To prevent these attacks, it should disable support DTD and external entities by setting properties of XMLInputFactory.

---

Affects: 5.0 RC2

Issue Links:

• XML input vulnerability based on DTD declaration [SPR-13136] #17727 XML input vulnerability based on DTD declaration

Referenced from: commits e4651d6

[spring-projects-issues]

Juergen Hoeller commented

We have a common setup for a defensive XMLInputFactory already, so I've taken the opportunity to factor it out to StaxUtils and reuse it in XmlEventDecoder now.

Thanks for raising this - just in time for 5.0 RC3!

[spring-projects-issues]

Takuya Iwatsuka commented

Thank you for the quick response.
I'm looking forward to the next release!