Add support for `XMLConstants.FEATURE_SECURE_PROCESSING` via SAX/Stax factories #61

cowtowncoder · 2018-08-23T19:48:48Z

note: behavior clarified in JEP=185). Also related: #51

So: to support more standard JAXP/Staax configuration, let's add support for "secure processing" configurability. This will be in addition to Woodstox-specific (and more convenient, but only if using Woodstox) configuration options... although looks like there was no "configureForSecurity()` yet, so we might as well add that as an alias.

cowtowncoder · 2019-07-14T03:58:23Z

Added skeletal support for both Stax and SAX factories: enabling via setProperty/setFeature (Stax / SAX) will disable resolution of external parsed entities, which seems like the only obvious setting.
Since Woodstox already sets reasonably size limits, did not add stricter settings although if someone suggests better settings I am open to further changes.

Note that I did not add support for either system property or jaxp.properties -- if those are desired, please file a separate issue.

cowtowncoder · 2019-07-15T00:44:34Z

Will be included in 5.3.0 to be released today.

deanshapira · 2020-10-28T07:04:30Z

@cowtowncoder is there a CVE associated with this security vulnerability?

cowtowncoder · 2020-10-28T16:16:54Z

@deanshapira Not that I know of. Since it simply bundles enabling of existing settings I don't think it would qualify.

cowtowncoder added the active Issue being actively investigated label Aug 23, 2018

PascalSchumacher mentioned this issue Jun 12, 2019

Can not use woodstox SAX Parser with JAXB due to unrecognized feature #77

Closed

cowtowncoder added this to the 5.3.0 milestone Jul 14, 2019

cowtowncoder closed this as completed in 7937f97 Jul 14, 2019

cowtowncoder changed the title ~~Add support for XMLConstants.FEATURE_SECURE_PROCESSING~~ Add support for XMLConstants.FEATURE_SECURE_PROCESSING via SAX/Stax factories Jul 14, 2019

cowtowncoder reopened this Jul 15, 2019

cowtowncoder closed this as completed Jul 15, 2019

mend-bolt-for-github bot mentioned this issue Nov 13, 2020

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar susanstdemos/spring-insecure-sample#139

Open

mend-bolt-for-github bot mentioned this issue Dec 15, 2020

WS-2018-0629 (High) detected in woodstox-core-5.1.0.jar - autoclosed mthbernardes/shaggy-rogers#50

Closed

mend-bolt-for-github bot mentioned this issue Dec 23, 2020

WS-2018-0629 (Critical) detected in woodstox-core-5.0.3.jar shukia/ServletAlfrescoRepository#10

Open

This was referenced Jan 5, 2021

WS-2018-0629 (Critical) detected in woodstox-core-5.0.3.jar billmcchesney1/flow#12

Open

WS-2018-0629 (Critical) detected in woodstox-core-5.0.2.jar billmcchesney1/flowgate#26

Open

mend-for-github-com bot mentioned this issue Jan 15, 2021

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar - autoclosed Dima2021/SecurityShepherd#7

Closed

mend-for-github-com bot mentioned this issue Feb 17, 2021

WS-2018-0629 (Critical) detected in woodstox-core-5.0.3.jar billmcchesney1/hadoop#25

Open

ybilevych mentioned this issue Mar 9, 2021

Update jar dependencies for allure-commandline-2.13.8 allure-framework/allure-npm#32

Closed

This was referenced Mar 10, 2021

WS-2018-0629 (Critical) detected in woodstox-core-5.0.3.jar vlaship/hadoop-wc#49

Open

WS-2018-0629 (High) detected in woodstox-core-5.0.2.jar greenetx/jenkins2-course-spring-boot#126

Open

mend-for-github-com bot mentioned this issue Aug 19, 2021

WS-2018-0629 (Critical) detected in woodstox-core-5.0.3.jar - autoclosed snowdensb/spring-boot#36

Closed

mend-for-github-com bot mentioned this issue Aug 31, 2021

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar Pio1006/SecurityShepherd#11

Open

1 task

mend-for-github-com bot mentioned this issue Nov 22, 2021

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar - autoclosed KaterinaOrg/SecurityShepherd#10

Closed

mend-for-github-com bot mentioned this issue Dec 3, 2021

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar jakethekid21/SecurityShepherd#8

Open

This was referenced Dec 16, 2021

WS-2018-0629 (Critical) detected in woodstox-core-5.0.3.jar ilan-WS/logging-log4j2#9

Open

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar - autoclosed SmartBear/soapui#663

Closed

mend-for-github-com bot mentioned this issue Dec 28, 2021

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar samjcs/saml-raider#15

Open

1 task

This was referenced Jan 1, 2022

WS-2018-0629 (Critical) detected in woodstox-core-5.0.3.jar interserver/mailbaby-api-samples#48

Closed

WS-2018-0629 (High) detected in woodstox-core-5.2.1.jar alapierre/crypto-util#2

Closed

mend-for-github-com bot mentioned this issue Jan 12, 2022

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar Shai-Demo-Org/SecurityShepherd#11

Open

mend-for-github-com bot mentioned this issue Jan 19, 2022

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar - autoclosed EliyaC/SecurityShepherd#11

Closed

This was referenced Feb 7, 2022

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar - autoclosed swagger-api/swagger-codegen#11700

Closed

opensaml-saml-impl-3.4.6.jar: 5 vulnerabilities (highest severity is: 9.1) yoswein/spring-security#4

Open

mend-for-github-com bot mentioned this issue Mar 1, 2022

woodstox-core-5.0.2.jar: 6 vulnerabilities (highest severity is: 9.1) ShaharSinger/Maven-Test#2

Open

mend-bolt-for-github bot mentioned this issue Mar 14, 2022

tika-parsers-1.24.1.jar: 30 vulnerabilities (highest severity is: 9.8) Baneeishaque/Parse-Docx_Apache-Tika#18

Open

mend-for-github-com bot mentioned this issue Mar 30, 2022

java-saml-2.5.0.jar: 2 vulnerabilities (highest severity is: 9.1) shaimael/SecurityShepherd#17

Open

This was referenced Apr 21, 2022

woodstox-core-5.0.3.jar: 2 vulnerabilities (highest severity is: 9.1) - autoclosed Dima2021/SecurityShepherd#41

Closed

java-saml-2.5.0.jar: 3 vulnerabilities (highest severity is: 9.1) elikkatzgit/SecurityShepherd#12

Open

mend-for-github-com bot mentioned this issue May 2, 2022

java-saml-2.5.0.jar: 3 vulnerabilities (highest severity is: 9.1) timf-app-demo/SecurityShepherd#11

Open

dev-mend-for-github-com bot mentioned this issue May 8, 2022

java-saml-2.5.0.jar: 1 vulnerabilities (highest severity is: 9.1) sultanabubaker/TKA-3408#9

Open

saurav1910 mentioned this issue Dec 3, 2022

Add support for XMLConstants.ACCESS_EXTERNAL_DTD #162

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for `XMLConstants.FEATURE_SECURE_PROCESSING` via SAX/Stax factories #61

Add support for `XMLConstants.FEATURE_SECURE_PROCESSING` via SAX/Stax factories #61

cowtowncoder commented Aug 23, 2018

cowtowncoder commented Jul 14, 2019

cowtowncoder commented Jul 15, 2019

deanshapira commented Oct 28, 2020

cowtowncoder commented Oct 28, 2020

Add support for XMLConstants.FEATURE_SECURE_PROCESSING via SAX/Stax factories #61

Add support for XMLConstants.FEATURE_SECURE_PROCESSING via SAX/Stax factories #61

Comments

cowtowncoder commented Aug 23, 2018

cowtowncoder commented Jul 14, 2019

cowtowncoder commented Jul 15, 2019

deanshapira commented Oct 28, 2020

cowtowncoder commented Oct 28, 2020

Add support for `XMLConstants.FEATURE_SECURE_PROCESSING` via SAX/Stax factories #61

Add support for `XMLConstants.FEATURE_SECURE_PROCESSING` via SAX/Stax factories #61