Skip to content

Security Fix: Potential XXE Vulnerability in parse function #1462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security Fix: Potential XXE Vulnerability in parse function #1462

wants to merge 1 commit into from

Conversation

scyt01
Copy link

@scyt01 scyt01 commented Aug 13, 2025

This PR addresses a potential vulnerability in the parse() function in XmlUtil.java that could lead to XML External Entity (XXE) attacks because it does not explicitly disables features that allow external entities and Document Type Definitions (DTDs) which are the primary vectors for XXE attacks. This issue was originally reported and resolved in the repository via this commit codelibs/fess@4e0d9f5.

Fix

  • Disabling External General Entities, External Parameter Entities, Loading of External DTDs
    • Ensures that the DOMParser processes only the XML content provided in the input stream without resolving or loading any external resources

References
CWE-611: Improper Restriction of XML External Entity Reference
https://nvd.nist.gov/vuln/detail/cve-2018-1000632
codelibs/fess@4e0d9f5

@scyt01 scyt01 requested a review from a team as a code owner August 13, 2025 11:36
@buildguy
Copy link
Collaborator

👍 Frogbot scanned this pull request and did not find any new security issues.

Note:

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

@buildguy
Copy link
Collaborator

✅ Build finished in 19m 48s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -DrunITs -pl mondrian

👌 All tests passed!

Tests run: 3310, Failures: 0, Skipped: 0    Test Results

ℹ️ This is an automatic message

@hitachivantarasonarqube HitachiVantaraSonarQube
Copy link

Passed

Analysis Details

0 Issues

  • Bug 0 Bugs
  • Vulnerability 0 Vulnerabilities
  • Code Smell 0 Code Smells

Coverage and Duplications

  • Coverage 100.00% Coverage (70.00% Estimated after merge)
  • Duplications 0.00% Duplicated Code (2.70% Estimated after merge)

Project ID: pentaho:pentaho-mondrian-parent-pom

View in SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@scyt01 @buildguy