[jira] [Updated] (RANGER-5477) XML External Entity Injection Security issue in Ranger

Sun, 01 Feb 2026 23:00:08 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-5477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dhaval Shah updated RANGER-5477:
--------------------------------
    Description: 
Scan has identified XXE as a critical finding. 
{code:java}
factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
false); 
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false); 
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);{code}
 
{code:java}
TransformerFactory tfactory = TransformerFactory.newInstance();
            tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
            Transformer transformer = tfactory.newTransformer();
            transformer.setOutputProperty(OutputKeys.INDENT, "yes");
            
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "4");
            
            DOMSource source = new DOMSource(doc);
            FileOutputStream out = new FileOutputStream(outFile);
            StreamResult result = new StreamResult(out);
            transformer.transform(source, result);
            out.close(); {code}
file: 
h4. 
/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
 line number.

For more information, access fortify at below url:

[https://re-fortify.infra.cloudera.com/ssc/html/ssc/]

 

  was:
Scan has identified XXE as a critical finding. 


{code:java}
set factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
false); 
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false); 
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);{code}
 
{code:java}
TransformerFactory tfactory = TransformerFactory.newInstance();
            tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
            Transformer transformer = tfactory.newTransformer();
            transformer.setOutputProperty(OutputKeys.INDENT, "yes");
            
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "4");
            
            DOMSource source = new DOMSource(doc);
            FileOutputStream out = new FileOutputStream(outFile);
            StreamResult result = new StreamResult(out);
            transformer.transform(source, result);
            out.close(); {code}

file: 
h4. 
/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
 line number.



For more information, access fortify at below url:

[https://re-fortify.infra.cloudera.com/ssc/html/ssc/]

 


> XML External Entity Injection Security issue in Ranger
> ------------------------------------------------------
>
>                 Key: RANGER-5477
>                 URL: https://issues.apache.org/jira/browse/RANGER-5477
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Dhaval Shah
>            Assignee: Bhavesh Amre
>            Priority: Major
>
> Scan has identified XXE as a critical finding. 
> {code:java}
> factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
> false); 
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
> false); 
> factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
> true);{code}
>  
> {code:java}
> TransformerFactory tfactory = TransformerFactory.newInstance();
>             tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
> Boolean.TRUE);
>             Transformer transformer = tfactory.newTransformer();
>             transformer.setOutputProperty(OutputKeys.INDENT, "yes");
>             
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, 
> "4");
>             
>             DOMSource source = new DOMSource(doc);
>             FileOutputStream out = new FileOutputStream(outFile);
>             StreamResult result = new StreamResult(out);
>             transformer.transform(source, result);
>             out.close(); {code}
> file: 
> h4. 
> /agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
>  line number.
> For more information, access fortify at below url:
> [https://re-fortify.infra.cloudera.com/ssc/html/ssc/]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to