Potential fix for code scanning alert no. 166: Resolving XML external entity in user-controlled data (#3582)

hmiguim · github-advanced-security[bot] · web-flow · commit b26d72ba4ca0 · 2026-01-15T11:39:54.000Z
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/roda-core/roda-core/src/main/java/org/roda/core/common/validation/ValidationUtils.java b/roda-core/roda-core/src/main/java/org/roda/core/common/validation/ValidationUtils.java
@@ -17,6 +17,7 @@
 import java.util.Map;
 import java.util.Optional;
 
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.Source;
 import javax.xml.transform.sax.SAXSource;
@@ -271,7 +272,25 @@ public static ValidationReport validateDescriptiveBinary(ContentPayload descript
         try (InputStreamReader inputStreamReader = new InputStreamReader(
           new BOMInputStream(descriptiveMetadataPayload.createInputStream()))) {
 
-          XMLReader xmlReader = XMLReaderFactory.createXMLReader();
+          XMLReader xmlReader;
+          try {
+            SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
+            saxParserFactory.setNamespaceAware(true);
+            // Enable secure processing
+            saxParserFactory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
+            // Disallow DOCTYPE declarations
+            saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            // Disable external entities
+            saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            // Do not load external DTDs
+            saxParserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+            xmlReader = saxParserFactory.newSAXParser().getXMLReader();
+          } catch (ParserConfigurationException | SAXException e) {
+            throw new IOException("Failed to securely configure XML parser", e);
+          }
+
           xmlReader.setEntityResolver(new RodaEntityResolver());
           InputSource inputSource = new InputSource(inputStreamReader);
           Source source = new SAXSource(xmlReader, inputSource);
