[ https://issues.apache.org/jira/browse/TINKERPOP-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephen Mallette closed TINKERPOP-2320. --------------------------------------- Fix Version/s: 3.3.10 3.4.5 3.5.0 Assignee: Stephen Mallette Resolution: Done > [SECURITY] XMLInputFactory initialization in GraphMLReader introduces > ---------------------------------------------------------------------- > > Key: TINKERPOP-2320 > URL: https://issues.apache.org/jira/browse/TINKERPOP-2320 > Project: TinkerPop > Issue Type: Improvement > Components: io > Affects Versions: 3.4.4 > Reporter: Norio Akagi > Assignee: Stephen Mallette > Priority: Major > Fix For: 3.5.0, 3.4.5, 3.3.10 > > > I use TinkerPop in my company and now the security team had audits and > reported that this part in GraphML reader may introduce XXE vulnerabilities. > {{private final XMLInputFactory inputFactory = > XMLInputFactory.newInstance();}} > Some document recommends to add some properties to protect it as follows: > [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser] > So I am wondering if I can either > 1. just hard-code to set these properties in the constructor of GraphMLReader > (it will break the existing behavior if users use it) > 2. somehow make these properties configurable so that we can pass some flags > and depending on the flags, we initialize GraphMLReader with those properties. > Any recommendation ? I am happy to add implementation to handle it but need > some input which direction I'd take. > Thanks. > Norio -- This message was sent by Atlassian Jira (v8.3.4#803005)