-
Notifications
You must be signed in to change notification settings - Fork 38.6k
Closed
Labels
in: coreIssues in core modules (aop, beans, core, context, expression)Issues in core modules (aop, beans, core, context, expression)type: documentationA documentation taskA documentation task
Milestone
Description
We received quite a few false positive CVE reports about XXE (XML external entity) attacks recently. This seems to be the result of code search and automated tools that look for SAXParserFactory
, TransformerFactory
or DocumentBuilderFactory
usage, without considering usage or context.
in Spring Framework, all XML parsing of "user content" is done with the external entities support turned off by default. Other places are about internal application usage (such as parsing XML configuration) and does not qualify as privilege escalation.
We should add dedicated comments in the source code to prevent future invalid reports in this area.
Metadata
Metadata
Assignees
Labels
in: coreIssues in core modules (aop, beans, core, context, expression)Issues in core modules (aop, beans, core, context, expression)type: documentationA documentation taskA documentation task