Merge pull request #23 from sip49/pixeebot/drip-2024-01-26-pixee-java…

…/harden-xmlinputfactory Introduced protections against XXE attacks
sip49 · Jul 23, 2024 · 96f9f8e · 96f9f8e
2 parents f55a467 + 403932c
commit 96f9f8e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import static io.github.pixee.security.XMLInputFactorySecurity.hardenFactory;
 import static java.util.Optional.empty;
 import static java.util.Optional.of;
 
@@ -95,7 +96,7 @@ protected Comments getComments() {
    */
   protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
     var jc = JAXBContext.newInstance(Comment.class);
-    var xif = XMLInputFactory.newInstance();
+    var xif = hardenFactory(XMLInputFactory.newInstance());
 
     if (webSession.isSecurityEnabled()) {
       xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant