Hi all, while working with org.geotools.wfs.GML, we have found that an application using this utility class to decode XML files might open itself up to an XML external entity (XXE) vulnerability.
Is it possible to control the underlying XML parser in some way to disable external entity and DTD processing to close this vulnerability? The way it currently works it would seem to me that org.geotools.wfs.GML should rather not be used in applications that accept data from 3rd parties. Since GML in turn uses org.geotools.xsd.Parser, I believe that more such vulnerabilities may exist in geotools. If you are interested in the specifics, I can provide an example file and a small test class to demonstrate the vulnerability against gt-xsd-wfs 24.2, which I did not want to post on a public mailing list yet. You can find general information on XXE vulnerabilities at https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE) Kind regards, Thorsten _______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
