Closed Elknar closed 6 years ago
Applied the change. Thanks for raising the issue.
@k2n terribly sorry, I forgot to include an important part in the original post:
(.setFeature doc "http://xml.org/sax/features/external-general-entities" false)
is also necessary, as the above only protects from external parameters.
The current default config allows external entity processing: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing . This will lead to an XML injection issue, at the very least allowing an unauthorized party read access to the file system.
Adding this to the
new-doc-builder
fn should helpAdditionally, there are no restrictions on the entity size, this may lead to denial of service with an XML bomb.