MLE-27666 MLE-27667 MLE-27668 MLE-27669 MLE-27670: Fix XXE Injection - XML External Entity and Weak crypto Polaris medium severity issues (Backport)

[vshaniga]

These changes have already been validated on the develop branch.
Fix XXE Injection - XML External Entity: PR
Weak crypto: PR

Tests

• Ran unit tests → All passed
• Ran 06mlcp test suite — no regression failures were found in testing.

[Copilot]

Pull request overview

Backport of previously validated security fixes to address Polaris medium-severity findings by hardening XML processing against XXE and updating an example SSL configuration to avoid weak protocol usage.

Changes:

• Disable external entity resolution and DTD support for StAX parsing in aggregate XML readers.
• Restrict TransformerFactory external access (DTD/stylesheet) to mitigate XXE during XML transform/serialization.
• Update the ContentReader example to use TLSv1.3 (and avoid hardcoded cipher suites).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/main/java/com/marklogic/mapreduce/JSONDocument.java	Harden TransformerFactory to block external DTD/stylesheet access (XXE prevention).
src/main/java/com/marklogic/mapreduce/DOMDocument.java	Harden TransformerFactory to block external DTD/stylesheet access (XXE prevention).
src/main/java/com/marklogic/contentpump/AggregateXMLReader.java	Disable DTD and external entity resolution on XMLInputFactory (XXE prevention).
src/main/java/com/marklogic/contentpump/CompressedAggXMLReader.java	Disable DTD and external entity resolution on XMLInputFactory (XXE prevention).
src/main/java/com/marklogic/mapreduce/examples/ContentReader.java	Update example SSL protocol from TLSv1 to TLSv1.3 and stop hardcoding cipher suites.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.