jmestwa-coder opened a new pull request, #12251: URL: https://github.com/apache/maven/pull/12251
**XXE via external entity resolution in the StAX XML parsers** Maven's hand-written StAX readers build their parser with `XMLInputFactory.newFactory()`, and the Woodstox defaults resolve external entities. A `pom.xml`, `META-INF/maven/extension.xml` or `plugin.xml` read from a downloaded artifact can pull in `file://` or `http://` SYSTEM entities, which gives local file disclosure and SSRF while a build runs. `SUPPORT_DTD` and `IS_SUPPORTING_EXTERNAL_ENTITIES` are now turned off on every input factory used to read XML. None of Maven's own formats carry a DOCTYPE, so this only rejects hostile input. The added test in `ExtensionDescriptorBuilderTest` leaks a temp file through an external entity in an extension descriptor; it fails on the current tree and passes with the factories hardened. - [x] Your pull request should address just one issue, without pulling in other changes. - [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [x] Each commit in the pull request should have a meaningful subject line and body. - [x] Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied. - [ ] Run `mvn verify` to make sure basic checks pass. - [ ] You have run the [Core IT][core-its] successfully. - [x] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) - [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf). [core-its]: https://maven.apache.org/core-its/core-it-suite/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
