Re: [PR] Make XInclude opt-in and rework XML configuration hardening [logging-log4j2]

Thu, 11 Jun 2026 02:30:27 -0700 


github-advanced-security[bot] commented on code in PR #4144:
URL: https://github.com/apache/logging-log4j2/pull/4144#discussion_r3394770693


##########
log4j-core/src/main/java/org/apache/logging/log4j/core/config/xml/XmlConfiguration.java:
##########
@@ -84,24 +88,9 @@
             }
             final InputSource source = new InputSource(new 
ByteArrayInputStream(buffer));
             source.setSystemId(configSource.getLocation());
-            final DocumentBuilder documentBuilder = newDocumentBuilder(true);
-            Document document;
-            try {
-                document = documentBuilder.parse(source);
-            } catch (final Exception e) {
-                // LOG4J2-1127
-                final Throwable throwable = Throwables.getRootCause(e);
-                if (throwable instanceof UnsupportedOperationException) {
-                    LOGGER.warn(
-                            "The DocumentBuilder {} does not support an 
operation: {}."
-                                    + "Trying again without XInclude...",
-                            documentBuilder,
-                            e);
-                    document = newDocumentBuilder(false).parse(source);
-                } else {
-                    throw e;
-                }
-            }
+            final boolean xIncludeAware = 
PropertiesUtil.getProperties().getBooleanProperty(ENABLE_XINCLUDE_PROP);
+            final DocumentBuilder documentBuilder = 
newDocumentBuilder(xIncludeAware);
+            final Document document = documentBuilder.parse(source);

Review Comment:
   ## CodeQL / Resolving XML external entity in user-controlled data
   
   XML parsing depends on a [user-provided value](1) without guarding against 
external entity expansion.
   XML parsing depends on a [user-provided value](2) without guarding against 
external entity expansion.
   XML parsing depends on a [user-provided value](3) without guarding against 
external entity expansion.
   XML parsing depends on a [user-provided value](4) without guarding against 
external entity expansion.
   XML parsing depends on a [user-provided value](5) without guarding against 
external entity expansion.
   
   [Show more 
details](https://github.com/apache/logging-log4j2/security/code-scanning/150)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to