This is an automated email from the ASF dual-hosted git repository.

josedee pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-kie-kogito-apps.git


The following commit(s) were added to refs/heads/main by this push:
     new 76a192ab4 CWE-611-fix (#2344)
76a192ab4 is described below

commit 76a192ab4dfb6d57e5d8ecd88cc217d03aa8fbc3
Author: Deepak Joseph <[email protected]>
AuthorDate: Mon Jun 22 17:57:58 2026 +0530

    CWE-611-fix (#2344)
---
 .../main/java/org/kie/kogito/jitexecutor/bpmn/JITBPMNServiceImpl.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git 
a/jitexecutor/jitexecutor-bpmn/src/main/java/org/kie/kogito/jitexecutor/bpmn/JITBPMNServiceImpl.java
 
b/jitexecutor/jitexecutor-bpmn/src/main/java/org/kie/kogito/jitexecutor/bpmn/JITBPMNServiceImpl.java
index abefebd90..15fd2a02e 100644
--- 
a/jitexecutor/jitexecutor-bpmn/src/main/java/org/kie/kogito/jitexecutor/bpmn/JITBPMNServiceImpl.java
+++ 
b/jitexecutor/jitexecutor-bpmn/src/main/java/org/kie/kogito/jitexecutor/bpmn/JITBPMNServiceImpl.java
@@ -481,6 +481,8 @@ public class JITBPMNServiceImpl implements JITBPMNService {
         try {
             DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
             factory.setNamespaceAware(true);
+            // Disable DOCTYPE declarations to prevent XXE attacks
+            
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
             DocumentBuilder builder = factory.newDocumentBuilder();
             org.w3c.dom.Document doc = builder.parse(new 
org.xml.sax.InputSource(new StringReader(modelXML)));
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to