cloudfoundry · theghost5800 · Jun 8, 2026 · Jun 5, 2026
diff --git a/.../cloudfoundry/multiapps/controller/web/util/XmlNamespaceIgnoringHttpMessageConverter.java b/.../cloudfoundry/multiapps/controller/web/util/XmlNamespaceIgnoringHttpMessageConverter.java
@@ -21,12 +21,26 @@
 import org.springframework.http.converter.xml.Jaxb2RootElementHttpMessageConverter;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.XMLFilter;
 import org.xml.sax.XMLReader;
 
 public class XmlNamespaceIgnoringHttpMessageConverter implements HttpMessageConverter<Object> {
 
-    private static final SAXParserFactory SAX_PARSER_FACTORY = SAXParserFactory.newInstance();
+    private static final SAXParserFactory SAX_PARSER_FACTORY = createSaxParserFactory();
+
+    private static SAXParserFactory createSaxParserFactory() {
+        SAXParserFactory factory = SAXParserFactory.newInstance();
+        try {
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        } catch (SAXNotRecognizedException | SAXNotSupportedException | ParserConfigurationException e) {
+            throw new ExceptionInInitializerError(e);
+        }
+        return factory;
+    }
 
     private final Jaxb2RootElementHttpMessageConverter delegate = new Jaxb2RootElementHttpMessageConverter();
 

diff --git a/...udfoundry/multiapps/controller/web/util/XmlNamespaceIgnoringHttpMessageConverterTest.java b/...udfoundry/multiapps/controller/web/util/XmlNamespaceIgnoringHttpMessageConverterTest.java
@@ -3,16 +3,21 @@
 import java.io.InputStream;
 import java.util.stream.Stream;
 
+import org.cloudfoundry.multiapps.common.ParsingException;
 import org.cloudfoundry.multiapps.common.test.Tester;
 import org.cloudfoundry.multiapps.common.test.Tester.Expectation;
 import org.cloudfoundry.multiapps.controller.web.util.bar.Bar;
 import org.cloudfoundry.multiapps.controller.web.util.foo.Foo;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpInputMessage;
 
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 class XmlNamespaceIgnoringHttpMessageConverterTest {
 
     private final Tester tester = Tester.forClass(getClass());
@@ -43,6 +48,20 @@
         tester.test(() -> converter.read(type, createHttpInputMessage(entityResource)), expectation);
     }
 
+    @Test
+    void testReadFromRejectsExternalEntityXxeAttack() {
+        ParsingException e = assertThrows(ParsingException.class,
+                                          () -> converter.read(Foo.class, createHttpInputMessage("xxe-external-entity.xml")));
+        assertTrue(e.getCause().toString().contains("DOCTYPE is disallowed"), "Expected DOCTYPE rejection but got: " + e.getCause());
+    }
+
+    @Test
+    void testReadFromRejectsBillionLaughsDoSAttack() {
+        ParsingException e = assertThrows(ParsingException.class,
+                                          () -> converter.read(Foo.class, createHttpInputMessage("xxe-billion-laughs.xml")));
+        assertTrue(e.getCause().toString().contains("DOCTYPE is disallowed"), "Expected DOCTYPE rejection but got: " + e.getCause());
+    }
+
     private HttpInputMessage createHttpInputMessage(String resource) {
         return new HttpInputMessage() {
 

diff --git a/.../src/test/resources/org/cloudfoundry/multiapps/controller/web/util/xxe-billion-laughs.xml b/.../src/test/resources/org/cloudfoundry/multiapps/controller/web/util/xxe-billion-laughs.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!DOCTYPE model [
+  <!ENTITY lol "lol">
+  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+]>
+<model>
+  <property-1>&lol4;</property-1>
+  <property-2>property-2-value</property-2>
+  <property-3>1000</property-3>
+  <property-4>true</property-4>
+</model>
diff --git a/...src/test/resources/org/cloudfoundry/multiapps/controller/web/util/xxe-external-entity.xml b/...src/test/resources/org/cloudfoundry/multiapps/controller/web/util/xxe-external-entity.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<!DOCTYPE model [
+  <!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<model>
+  <property-1>&xxe;</property-1>
+  <property-2>property-2-value</property-2>
+  <property-3>1000</property-3>
+  <property-4>true</property-4>
+</model>