Document XML parser usage against security false positives #33713
Labels
in: core
Issues in core modules (aop, beans, core, context, expression)
type: documentation
A documentation task
Milestone
We received quite a few false positive CVE reports about XXE (XML external entity) attacks recently. This seems to be the result of code search and automated tools that look for
SAXParserFactory
,TransformerFactory
orDocumentBuilderFactory
usage, without considering usage or context.in Spring Framework, all XML parsing of "user content" is done with the external entities support turned off by default. Other places are about internal application usage (such as parsing XML configuration) and does not qualify as privilege escalation.
We should add dedicated comments in the source code to prevent future invalid reports in this area.
The text was updated successfully, but these errors were encountered: