Skip to content

WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks [S6]#1643

Open
lukaszlenart wants to merge 1 commit intorelease/struts-6-8-xfrom
WW-5621-harden-xml-parsers-billion-laughs-s6
Open

WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) attacks [S6]#1643
lukaszlenart wants to merge 1 commit intorelease/struts-6-8-xfrom
WW-5621-harden-xml-parsers-billion-laughs-s6

Conversation

@lukaszlenart
Copy link
Copy Markdown
Member

@lukaszlenart lukaszlenart commented Mar 29, 2026

Summary

Backport of #1642 from Struts 7 to Struts 6.

  • Enable FEATURE_SECURE_PROCESSING in DomHelper and Tiles DigesterDefinitionsReader
  • Remove unused parseStringAsXML feature from StringAdapter to eliminate theoretical attack surface
  • Deprecate getParseStringAsXML() / setParseStringAsXML() for future removal
  • Add Billion Laughs protection tests for both XML parsers

Test plan

  • mvn test -DskipAssembly -pl core -Dtest=DomHelperTest — 4 tests pass
  • mvn test -DskipAssembly -pl plugins/tiles -Dtest="TestDigesterDefinitionsReader#testBillionLaughsProtection" — 1 test passes
  • mvn test -DskipAssembly -pl plugins/xslt — builds successfully

🤖 Generated with Claude Code

@lukaszlenart @claude
WW-5621 Harden XML parsers against Entity Expansion (Billion Laughs) …
3f6f5c4 
…attacks

Backport of #1642 from Struts 7 to Struts 6.

Modern JDKs (7u45+) already protect against this attack with a built-in
64K entity expansion limit. These changes add defense-in-depth hardening
and remove unnecessary attack surface.

- Enable FEATURE_SECURE_PROCESSING in DomHelper SAX parser
- Enable FEATURE_SECURE_PROCESSING in DigesterDefinitionsReader
- Remove unused parseStringAsXML feature from StringAdapter to eliminate
  a theoretical XML Entity Expansion vector
- Deprecate setParseStringAsXML() and getParseStringAsXML() for removal
- Add Billion Laughs protection tests for DomHelper and DigesterDefinitionsReader

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@lukaszlenart lukaszlenart marked this pull request as ready for review March 29, 2026 06:16
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 29, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
25 Security Hotspots
43.3% Coverage on New Code (required ≥ 80%)
3.3% Duplication on New Code (required ≤ 3%)
E Security Rating on New Code (required ≥ A)
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rgielen rgielen Awaiting requested review from rgielen

@jogep jogep Awaiting requested review from jogep

@aleksandr-m aleksandr-m Awaiting requested review from aleksandr-m

@yasserzamani yasserzamani Awaiting requested review from yasserzamani

@sdutry sdutry Awaiting requested review from sdutry

@cnenning cnenning Awaiting requested review from cnenning

@kusalk kusalk Awaiting requested review from kusalk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lukaszlenart