Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document XML parser usage against security false positives #33713

Closed
bclozel opened this issue Oct 15, 2024 · 0 comments
Closed

Document XML parser usage against security false positives #33713

bclozel opened this issue Oct 15, 2024 · 0 comments
Assignees
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: documentation A documentation task
Milestone

Comments

@bclozel
Copy link
Member

bclozel commented Oct 15, 2024

We received quite a few false positive CVE reports about XXE (XML external entity) attacks recently. This seems to be the result of code search and automated tools that look for SAXParserFactory, TransformerFactory or DocumentBuilderFactory usage, without considering usage or context.

in Spring Framework, all XML parsing of "user content" is done with the external entities support turned off by default. Other places are about internal application usage (such as parsing XML configuration) and does not qualify as privilege escalation.

We should add dedicated comments in the source code to prevent future invalid reports in this area.

@bclozel bclozel added type: documentation A documentation task in: core Issues in core modules (aop, beans, core, context, expression) labels Oct 15, 2024
@bclozel bclozel added this to the 6.2.0-RC2 milestone Oct 15, 2024
@bclozel bclozel self-assigned this Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: documentation A documentation task
Projects
None yet
Development

No branches or pull requests

1 participant