Wrong XML parser?
This is no tthe JDK XML parser
org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse
jena 4.7.0 is out-of-date.
And it causes an exception as expected on Jena 4.3.2
Andy
On 16/11/2025 18:26, Martynas Jusevičius wrote:
Created an issue here: https://github.com/apache/jena/issues/3595
On Sun, Nov 16, 2025 at 6:55 PM Martynas Jusevičius
<[email protected]> wrote:
Thanks. I changed the value to 1 but that made no difference -- the
exploit still works.
I can see that the JenaXMLInput class is related -- but I'm not sure
how it applies to my code if I'm not using XMLReader directly?
https://github.com/apache/jena/blob/main/jena-core/src/main/java/org/apache/jena/util/JenaXMLInput.java
Would a test case using RDFParser help?
On Sun, Nov 16, 2025 at 6:40 PM Andy Seaborne <[email protected]> wrote:
> System.setProperty("jdk.xml.entityExpansionLimit", "0");
https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html
"A value less than or equal to 0 indicates no limit."
Andy
On 16/11/2025 16:44, Martynas Jusevičius wrote:
Hi,
I want to protect my RDF/XML I/O code against Billion laughs, external
DTD and similar exploits. Using Jena 4.7.0.
The reader code looks like this:
public Model read(Model model, InputStream is, Lang lang, String
baseURI, ErrorHandler errorHandler)
{
RDFParser parser = RDFParser.create().
lang(lang).
errorHandler(errorHandler).
checking(true). // otherwise exceptions will not be thrown for
invalid URIs!
base(baseURI).
source(is).
build();
parser.parse(StreamRDFLib.graph(model.getGraph()));
return model;
}
I have a script that submits RDF/XML with Billion laughs (recursive
entity expansion) and that causes the Java application to run out of
memory:
Caused by: java.lang.OutOfMemoryError: Java heap space
at java.base/java.util.Arrays.copyOf(Arrays.java:3537)
at
java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:228)
at
java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:740)
at java.base/java.lang.StringBuffer.append(StringBuffer.java:410)
at
org.apache.jena.rdfxml.xmlinput.states.AbsWantLiteralValueOrDescription.characters(AbsWantLiteralValueOrDescription.java:62)
at
org.apache.jena.rdfxml.xmlinput.states.WantLiteralValueOrDescription.characters(WantLiteralValueOrDescription.java:77)
at
org.apache.jena.rdfxml.xmlinput.impl.XMLHandler.characters(XMLHandler.java:137)
at org.apache.xerces.parsers.AbstractSAXParser.characters(Unknown Source)
at org.apache.xerces.impl.dtd.XMLDTDValidator.characters(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanContent(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.jena.rdfxml.xmlinput.impl.RDFXMLParser.parse(RDFXMLParser.java:96)
at org.apache.jena.rdfxml.xmlinput.ARP.load(ARP.java:118)
at org.apache.jena.riot.lang.ReaderRIOTRDFXML.parse(ReaderRIOTRDFXML.java:186)
at org.apache.jena.riot.lang.ReaderRIOTRDFXML.read(ReaderRIOTRDFXML.java:84)
at org.apache.jena.riot.RDFParser.read(RDFParser.java:416)
at org.apache.jena.riot.RDFParser.parseNotUri(RDFParser.java:406)
at org.apache.jena.riot.RDFParser.parse(RDFParser.java:356)
at com.atomgraph.core.io.ModelProvider.read(ModelProvider.java:113)
at com.atomgraph.core.io.ModelProvider.read(ModelProvider.java:96)
at com.atomgraph.core.io.ModelProvider.readFrom(ModelProvider.java:90)
at com.atomgraph.core.io.ModelProvider.readFrom(ModelProvider.java:53)
at
org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$TerminalReaderInterceptor.invokeReadFrom(ReaderInterceptorExecutor.java:233)
at
org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$TerminalReaderInterceptor.aroundReadFrom(ReaderInterceptorExecutor.java:212)
at
org.glassfish.jersey.message.internal.ReaderInterceptorExecutor.proceed(ReaderInterceptorExecutor.java:132)
at
org.glassfish.jersey.message.internal.MessageBodyFactory.readFrom(MessageBodyFactory.java:1072)
I have tried the following config (and its alternative in
CATALINA_OPTS), but they do not seem to have any effect -- the exploit
still works:
System.setProperty("javax.xml.stream.isSupportingExternalEntities", "false");
System.setProperty("javax.xml.accessExternalDTD", "");
System.setProperty("javax.xml.accessExternalSchema", "");
System.setProperty("jdk.xml.entityExpansionLimit", "0");
What is the solution here?
I would hate to have to single out RDF/XML and handle it specially,
but I'll do it if it's necessary in order to solve this.
Thanks.
Martynas
atomgraph.com
