org.hl7.fhir.core icon indicating copy to clipboard operation
org.hl7.fhir.core copied to clipboard

Was the fix for XML parsing complete?

Open allonsyintensely opened this issue 1 year ago • 0 comments

Looking at #1571, I was wondering if the use of DocumentBuilderFactory.newDocumentBuilder (for example, in

https://github.com/hapifhir/org.hl7.fhir.core/blob/60470b1a28155df059d30ce7754aec568efe4b30/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java#L440-L443 ) was also vulnerable to XXE attacks. I am curious about why TransformerFactory was fixed, but not DocumentBuilderFactory. I can also provide a PR.

Like in #1571, see https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j.

allonsyintensely avatar Oct 02 '24 03:10 allonsyintensely