Skip to content

Improved setup for XML parsing #1284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
labkey-jeckels merged 4 commits into from
Feb 16, 2026
Merged

Improved setup for XML parsing #1284

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
536e744
Improved validation for XML parsing and paths
labkey-jeckels Feb 16, 2026
42c4aa5
Comments and consistency
labkey-jeckels Feb 16, 2026
3c06ce2
Fix typo
labkey-jeckels Feb 16, 2026
05e7954
Merge branch 'develop' into fb_miscCleanup
labkey-jeckels Feb 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,12 @@ private String nameFromModuleXML(InputStream is) throws IOException

try
{
SAXParser parser = SAXParserFactory.newDefaultInstance().newSAXParser();
SAXParserFactory factory = SAXParserFactory.newDefaultInstance();
factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Copy link
Copy Markdown
Contributor

@labkey-alan labkey-alan Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to this blog post I found from 2012 these settings seem to be mutually exclusive. My understanding is that you need to either disable doctype declaration (what this line does) or disable external entities (what the following two lines do). I'm not sure it's problematic to do both though, so maybe we should keep it.

https://blog.compass-security.com/2012/08/secure-xml-parser-configuration/

Copy link
Copy Markdown
Contributor Author

@labkey-jeckels labkey-jeckels Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, should be safe to do both, just in case.

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
SAXParser parser = factory.newSAXParser();
parser.parse(is, new DefaultHandler()
{
final ArrayList<String> elementStack = new ArrayList<>();
Expand Down