Hi Nico, > Is there a way to set parser properties like `jdk.xml.entityExpansionLimit` in BaseX?
By default, more recent versions of the JDK have static entity expansion limits. Maybe those are not strict enough? Do you have an example at hand that causes problems? > I am using the internal parser with the DTD option set to false, but this is still vulnerable to the one billion laughs attack. Thanks for the hint. I have improved the entity expansion checks in our internal XML parser [1]. If you find an example that will not be caught by our (very simple) heuristics, feel free to share it with us. I agree with Eliot that it can be hazardous to process arbitrary external contents (you are probably aware of that, too). Good firewall/proxy settings may be able to tackle some of the issues that will not be handled during XML parsing. And @Eliot, with regard to caching: Have you played around with the XML Catalog feature? Hope this helps, Christian [1] https://files.basex.org/releases/latest/ On Fri, Mar 14, 2025 at 11:12 AM Nico Verwer (Rakensi) <nver...@rakensi.com> wrote: > Thank you, Eliot Kimber for your response: > > These vulnerabilities are only an issue if you allow untrusted users to > supply XML documents with DTDs. > > > My application will be open to the outer world, so there will be untrusted > users. We do not use DTDs, but DTDs are just one vulnerability. > > [...] pre-parse them before supplying them to BaseX, > > My solution is to simply not use DTD-aware parsing, [...] > > > I am using the internal parser with the DTD option set to false, but this > is still vulnerable to the one billion laughs attack. > > My next action will be to try to install my own parser into BaseX, which > will be an interesting exercise... > >
