fix: harden XML parser against XXE in Cloud Functions sample (#10236)

anto-1 · web-flow · commit fcf5208fc0d0 · 2026-02-27T17:44:38.000-05:00
* fix: harden XML parser against XXE in Cloud Functions sample

DocumentBuilderFactory.newInstance() with default settings allows
external entity resolution. This enables XXE attacks (file read,
SSRF) when parsing untrusted XML input.

Add disallow-doctype-decl feature per OWASP XXE Prevention Cheat Sheet.

* address review: add defense-in-depth features, make field final, fix pom.xml target

- Make dbFactory final per review suggestion
- Add OWASP-recommended defense-in-depth features:
  external-general-entities, external-parameter-entities,
  load-external-dtd, XIncludeAware, ExpandEntityReferences
- Fix pom.xml functionTarget: ParseContentType -&gt; ParseXml
diff --git a/functions/http/parse-xml/pom.xml b/functions/http/parse-xml/pom.xml
@@ -94,7 +94,7 @@
         <artifactId>function-maven-plugin</artifactId>
         <version>0.11.0</version>
         <configuration>
-          <functionTarget>functions.ParseContentType</functionTarget>
+          <functionTarget>functions.ParseXml</functionTarget>
         </configuration>
       </plugin>
       <plugin>
diff --git a/functions/http/parse-xml/src/main/java/functions/ParseXml.java b/functions/http/parse-xml/src/main/java/functions/ParseXml.java
@@ -32,7 +32,22 @@
 import org.xml.sax.SAXException;
 
 public class ParseXml implements HttpFunction {
-  private static DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+  private static final DocumentBuilderFactory dbFactory;
+
+  static {
+    dbFactory = DocumentBuilderFactory.newInstance();
+    try {
+      // Prevent XXE attacks (see https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
+      dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+      dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+      dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+      dbFactory.setXIncludeAware(false);
+      dbFactory.setExpandEntityReferences(false);
+    } catch (ParserConfigurationException e) {
+      throw new RuntimeException(e);
+    }
+  }
 
   // Parses a HTTP request in XML format
   // (Responds with a 400 error if the HTTP request isn't valid XML.)
