Skip to content

re-apply entity/DTD hardening after JDK deserialization of XmlFactory#878

Open
Sahana2524 wants to merge 1 commit into
FasterXML:3.xfrom
Sahana2524:readresolve-secure-xmlinputfactory
Open

re-apply entity/DTD hardening after JDK deserialization of XmlFactory#878
Sahana2524 wants to merge 1 commit into
FasterXML:3.xfrom
Sahana2524:readresolve-secure-xmlinputfactory

Conversation

@Sahana2524

Copy link
Copy Markdown

Entity/DTD hardening dropped after JDK deserialization

XmlFactory.readResolve() rebuilds the XMLInputFactory from only its stored class name, so the reconstructed factory comes back at plain Stax defaults with external-entity and DTD processing enabled again. A mapper that was safe by default silently regains the entity-expansion/XXE surface after a serialize then deserialize roundtrip. I moved the builder's hardening into a small shared helper and call it from readResolve so the two factory-building paths can't drift.

Reproduces with a stock new XmlMapper(): reading <!DOCTYPE foo [ <!ENTITY x "HELLO"> ]><foo>&x;</foo> throws before serialization, but after a JDK roundtrip &x; expands to HELLO. Added a regression test alongside the existing serialization/DTD tests.

@pjfanning

Copy link
Copy Markdown
Member

@Sahana2524 Thanks. We require a CLA as described in https://github.com/FasterXML/jackson/blob/main/CONTRIBUTING.md#paperwork - could you provide a CLA based on this?

@github-actions

Copy link
Copy Markdown

🧪 Code Coverage Report

Metric Coverage Change
Instructions coverage 73.54% 📈 +0.010%
Branches branches 68.03% 📈 +0.000%

Coverage data generated from JaCoCo test results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants