Fix code scanning alert no. 4: Resolving XML external entity in user-controlled data

mybatis / ibatis-2

iBATIS 2.x

Apache License 2.0

98 stars 110 forks source link

Fix code scanning alert no. 4: Resolving XML external entity in user-controlled data #254

Closed hazendaz closed 3 weeks ago

hazendaz commented 3 weeks ago

Fixes https://github.com/mybatis/ibatis-2/security/code-scanning/4

To fix the problem, we need to disable the expansion of external entities by setting setExpandEntityReferences(false) on the DocumentBuilderFactory. This change will prevent the parser from resolving external entities, thus mitigating the risk of XXE attacks.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

coveralls commented 3 weeks ago

coverage: 65.153%. remained the same when pulling 29b29f94dd125e36f7f09e765d3503519a83a1d0 on autofix/alert-4-2f1a331131 into 1378858285c2db8b2b26dc90014f661cf722323d on master.