search

NASA-PDS / validate

Validates PDS4 product labels, data and PDS3 Volumes
https://nasa-pds.github.io/validate/
Apache License 2.0
16 stars 11 forks source link

Fix code scanning alert no. 468: Resolving XML external entity in user-controlled data #1060

Closed jordanpadams closed 3 days ago

jordanpadams commented 2 weeks ago

Fixes https://github.com/NASA-PDS/validate/security/code-scanning/468

To fix the problem, we need to configure the SchemaFactory to disable DTDs and external entities. This can be done by setting specific features on the SchemaFactory instance. The best way to fix this without changing existing functionality is to add these configurations in the constructor of the SchemaValidator class.

  1. Set the feature http://apache.org/xml/features/disallow-doctype-decl to true to disallow DTDs.
  2. Set the feature http://xml.org/sax/features/external-general-entities to false to disallow external general entities.
  3. Set the feature http://xml.org/sax/features/external-parameter-entities to false to disallow external parameter entities.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

jordanpadams commented 2 weeks ago

Auto-generated code scan fix thanks to Copilot 🎉