WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks#1642
Open
lukaszlenart wants to merge 1 commit intomainfrom
Open
WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks#1642lukaszlenart wants to merge 1 commit intomainfrom
lukaszlenart wants to merge 1 commit intomainfrom
Conversation
lukaszlenart
force-pushed
the
harden/xml-entity-expansion-protection
branch
from
d5080f5 to
2254b73
Compare
…attacks Modern JDKs (7u45+) already protect against this attack with a built-in 64K entity expansion limit. These changes add defense-in-depth hardening and remove unnecessary attack surface. - Remove unused parseStringAsXML feature from StringAdapter to eliminate a theoretical XML Entity Expansion vector - Deprecate setParseStringAsXML() and getParseStringAsXML() for removal - Enable SECURE_PROCESSING feature in DigesterDefinitionsReader - Add unit test verifying JDK's entity expansion limit rejects Billion Laughs payloads - Add research document with vulnerability analysis Co-Authored-By: Claude <noreply@anthropic.com>
lukaszlenart
force-pushed
the
harden/xml-entity-expansion-protection
branch
from
2254b73 to
80c2c13
Compare
|
lukaszlenart
requested review from
aleksandr-m,
cnenning,
jogep,
kusalk,
rgielen,
sdutry and
yasserzamani
lukaszlenart
added a commit
that referenced
this pull request
Mar 29, 2026
…attacks Backport of #1642 from Struts 7 to Struts 6. Modern JDKs (7u45+) already protect against this attack with a built-in 64K entity expansion limit. These changes add defense-in-depth hardening and remove unnecessary attack surface. - Enable FEATURE_SECURE_PROCESSING in DomHelper SAX parser - Enable FEATURE_SECURE_PROCESSING in DigesterDefinitionsReader - Remove unused parseStringAsXML feature from StringAdapter to eliminate a theoretical XML Entity Expansion vector - Deprecate setParseStringAsXML() and getParseStringAsXML() for removal - Add Billion Laughs protection tests for DomHelper and DigesterDefinitionsReader Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes WW-5621
Defense-in-depth hardening of XML parsers against Entity Expansion (Billion Laughs) attacks. This is not an exploitable vulnerability — modern JDKs (7u45+) already enforce a 64K entity expansion limit, and all XML sources come from the classpath, not user input.
Changes
FEATURE_SECURE_PROCESSINGinDomHelperand TilesDigesterDefinitionsReaderparseStringAsXMLfeature fromStringAdapterto eliminate theoretical attack surfacegetParseStringAsXML()/setParseStringAsXML()for future removalTests
DomHelperTest(core)TestDigesterDefinitionsReader(tiles)StringAdapterTestcovering the deprecated no-opparseStringAsXMLcontractTest plan
mvn test -DskipAssembly -pl core -Dtest=DomHelperTest— 5 tests passmvn test -DskipAssembly -pl plugins/xslt -Dtest=StringAdapterTest— 2 tests passmvn test -DskipAssembly -pl plugins/tiles -Dtest=TestDigesterDefinitionsReader— 3 tests pass🤖 Generated with Claude Code