Skip to content

MLE-27553 MLE-27554 MLE-27555 MLE-27556: Fix XXE Injection - XML External Entity Polaris medium severity issues#577

Merged
vshaniga merged 3 commits intomarklogic:developfrom
vshaniga:XXE-Injection-Polaris-fixes
Mar 30, 2026
Merged

MLE-27553 MLE-27554 MLE-27555 MLE-27556: Fix XXE Injection - XML External Entity Polaris medium severity issues#577
vshaniga merged 3 commits intomarklogic:developfrom
vshaniga:XXE-Injection-Polaris-fixes

Conversation

@vshaniga
Copy link
Copy Markdown
Collaborator

@vshaniga vshaniga commented Mar 24, 2026

Problem

XML parsers were created without disabling external entity resolution (CWE-611), which could allow XXE attacks including arbitrary file reads, SSRF, and denial of service via entity expansion.

Changes

1. XMLInputFactory (StAX parsers)

Files:

  • AggregateXMLReader.java
  • CompressedAggXMLReader.java

Used setProperty (correct API for StAX):

Disabled:

  • XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES = false
  • XMLInputFactory.SUPPORT_DTD = false

2. TransformerFactory (XSLT processing)

Files:

  • DOMDocument.java
  • JSONDocument.java

Used setAttribute (correct API for transformers):

Disabled:

  • XMLConstants.ACCESS_EXTERNAL_DTD = ""
  • XMLConstants.ACCESS_EXTERNAL_STYLESHEET = ""

Wrapped property/attribute configuration in try-catch (IllegalArgumentException)
Logs a warning if a property is unsupported

Testing

  • Ran unit tests for sanity check→ All passed

06mlcp test suite results

The following tests are failing:

  • bug17845.xml
  • mlcp-basic-8000.xml
  • mlcp-aggregates-8000.xml
  • mlcp-ssl-protocal-tls-49273.xml
  • mlcp-export-query-filter.xml
  • mlcp-group-host-count.xml

same failures exist without the changes.

Copilot AI review requested due to automatic review settings March 24, 2026 09:57
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Polaris-reported XXE (CWE-611) risks by hardening XML parsing (StAX) and transformation (JAXP TransformerFactory) to prevent external entity / external resource resolution.

Changes:

  • Disable external entity resolution and DTD support on XMLInputFactory instances used by aggregate XML readers.
  • Restrict external DTD and stylesheet access on TransformerFactory instances used by document serialization.
  • Add warning logs when security attributes/properties are not supported by the underlying XML implementation.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
src/main/java/com/marklogic/mapreduce/JSONDocument.java Hardens TransformerFactory by restricting external DTD/stylesheet access.
src/main/java/com/marklogic/mapreduce/DOMDocument.java Hardens TransformerFactory by restricting external DTD/stylesheet access.
src/main/java/com/marklogic/contentpump/CompressedAggXMLReader.java Hardens StAX XMLInputFactory by disabling external entities and DTDs.
src/main/java/com/marklogic/contentpump/AggregateXMLReader.java Hardens StAX XMLInputFactory by disabling external entities and DTDs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/main/java/com/marklogic/mapreduce/DOMDocument.java Outdated
Comment thread src/main/java/com/marklogic/contentpump/AggregateXMLReader.java Outdated
Comment thread src/main/java/com/marklogic/contentpump/CompressedAggXMLReader.java Outdated
Comment thread src/main/java/com/marklogic/contentpump/AggregateXMLReader.java Outdated
Comment thread src/main/java/com/marklogic/mapreduce/JSONDocument.java Outdated
NeoSaber
NeoSaber requested changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@NeoSaber NeoSaber left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think copilot's suggestions to separate out the double property/attribute sets into their own try/catch blocks should be implemented. It would be the safer approach to ensure that each one is at least attempted, and that one failing doesn't stop the other from trying.

abika5
abika5 requested changes Mar 25, 2026
View reviewed changes
Comment thread src/main/java/com/marklogic/contentpump/AggregateXMLReader.java Outdated
@vshaniga
Copy link
Copy Markdown
Collaborator Author

vshaniga commented Mar 26, 2026

Separated each setAttribute (TransformerFactory) and setProperty (XMLInputFactory) call into individual try/catch blocks.

Also improved warning logs to be more descriptive and consistent.

@vshaniga vshaniga requested a review from Copilot March 26, 2026 15:36
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/main/java/com/marklogic/contentpump/CompressedAggXMLReader.java
Comment thread src/main/java/com/marklogic/contentpump/AggregateXMLReader.java
Comment thread src/main/java/com/marklogic/mapreduce/DOMDocument.java
Comment thread src/main/java/com/marklogic/mapreduce/JSONDocument.java
NeoSaber
NeoSaber approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@NeoSaber NeoSaber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new changes look good. I would ignore copilot's updated review. It's nitpicking its own desired fix now.

@vshaniga vshaniga requested a review from abika5 March 26, 2026 15:48
abika5
abika5 approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@abika5 abika5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks.

@vshaniga vshaniga merged commit c3b1402 into marklogic:develop Mar 30, 2026
8 checks passed
SiddharthMaheshB pushed a commit to SiddharthMaheshB/marklogic-contentpump that referenced this pull request Apr 1, 2026
@vshaniga @SiddharthMaheshB
MLE-27553 MLE-27554 MLE-27555 MLE-27556: Fix XXE Injection - XML Exte…
5ae53c0 
…rnal Entity Polaris medium severity issues (marklogic#577)

* MLE-27554 MLE-27556: Fix XXE Injection - XML External Entity related to XMLInputFactory

* MLE-27553 MLE-27555: Fix XXE Injection - XML External Entity related to TransformerFactory

* MLE-27553 MLE-27554 MLE-27555 MLE-27556: Split XXE-prevention try/catch blocks and improve warning messages
vshaniga added a commit to vshaniga/marklogic-contentpump that referenced this pull request Apr 1, 2026
@vshaniga
MLE-27666 MLE-27667 MLE-27668 MLE-27669: Fix XXE Injection - XML Exte…
bc87588 
…rnal Entity Polaris medium severity issues (marklogic#577)

* MLE-27667 MLE-27669: Fix XXE Injection - XML External Entity related to XMLInputFactory

* MLE-27666 MLE-27668: Fix XXE Injection - XML External Entity related to TransformerFactory

* MLE-27666 MLE-27667 MLE-27668 MLE-27669: Split XXE-prevention try/catch blocks and improve warning messages
@vshaniga vshaniga mentioned this pull request Apr 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NeoSaber NeoSaber NeoSaber approved these changes

@abika5 abika5 abika5 approved these changes

@DarrenJAN DarrenJAN Awaiting requested review from DarrenJAN

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vshaniga @NeoSaber @abika5