This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 977e51f8a68046868dd089ef194abecc73c2c3f2 Author: Robert Lazarski <[email protected]> AuthorDate: Tue Jun 9 16:16:07 2026 -1000 RAMPART-428: harden the test XML parser against XXE Follow-up to the Gemini review: configure DocumentBuilderFactory in PolicyBasedResultsValidatorTest to disallow DTDs and external entities (OWASP secure-parsing settings), so the security test does not model an insecure parser. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> --- .../java/org/apache/rampart/PolicyBasedResultsValidatorTest.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/rampart-core/src/test/java/org/apache/rampart/PolicyBasedResultsValidatorTest.java b/modules/rampart-core/src/test/java/org/apache/rampart/PolicyBasedResultsValidatorTest.java index 47e3a26f..43a4b6fc 100644 --- a/modules/rampart-core/src/test/java/org/apache/rampart/PolicyBasedResultsValidatorTest.java +++ b/modules/rampart-core/src/test/java/org/apache/rampart/PolicyBasedResultsValidatorTest.java @@ -59,6 +59,12 @@ public class PolicyBasedResultsValidatorTest extends TestCase { protected void setUp() throws Exception { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + // Secure the parser (OWASP): no DTDs / external entities. + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + dbf.setXIncludeAware(false); + dbf.setExpandEntityReferences(false); dbf.setNamespaceAware(true); DocumentBuilder db = dbf.newDocumentBuilder(); doc = db.parse(new ByteArrayInputStream(WRAPPED.getBytes(StandardCharsets.UTF_8)));
