Critical severity9.8NVD Advisory· Published Nov 5, 2024· Updated Apr 15, 2026
CVE-2024-51132
CVE-2024-51132
Description
An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ca.uhn.hapi.fhir:org.hl7.fhir.convertorsMaven | < 6.4.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2Maven | < 6.4.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016mayMaven | < 6.4.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.dstu3Maven | < 6.4.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.r4Maven | < 6.4.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.r4bMaven | < 6.4.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.r5Maven | < 6.4.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.utilitiesMaven | < 6.4.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.validationMaven | < 6.4.0 | 6.4.0 |
Patches
226c445c8fc847ede053a5fcaMove new documentbuilderfactory calls to XMLUtils
43 files changed · +153 −135
org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/adl/ADLImporter.java+1 −3 modified@@ -1,7 +1,5 @@ package org.hl7.fhir.convertors.misc.adl; -import java.io.FileInputStream; -import java.io.FileOutputStream; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -89,7 +87,7 @@ private static String getParam(String[] args, String name) { private void execute() throws Exception { // load config - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder(); adlConfig = builder.parse(ManagedFileAccess.inStream(config)).getDocumentElement();
org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CDAUtilities.java+1 −1 modified@@ -51,7 +51,7 @@ public class CDAUtilities { private final Document doc; public CDAUtilities(InputStream stream) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder();
org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CKMImporter.java+1 −1 modified@@ -130,7 +130,7 @@ private Document loadXml(String address) throws Exception { res.checkThrowException(); InputStream xml = new ByteArrayInputStream(res.getContent()); - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory(); DocumentBuilder db = dbf.newDocumentBuilder(); return db.parse(xml); }
org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CountryCodesConverter.java+1 −1 modified@@ -357,7 +357,7 @@ private String lang3To2(String lang) { } private Document load() throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder();
org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/DicomPackageBuilder.java+1 −1 modified@@ -131,7 +131,7 @@ private JsonObject buildPackage() { } private CodeSystem buildCodeSystem() throws ParserConfigurationException, FileNotFoundException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder(); Document doc = builder.parse(ManagedFileAccess.inStream(Utilities.path(source, "Resources", "Ontology", "DCM", "dcm.owl")));
org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/ICPC2Importer.java+1 −1 modified@@ -120,7 +120,7 @@ public void setTargetFileNameVS(String targetFileName) { } public void go() throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(false); DocumentBuilder builder = factory.newDocumentBuilder(); Document doc = builder.parse(ManagedFileAccess.inStream(sourceFileName));
org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/iso21090/ISO21090Importer.java+1 −1 modified@@ -317,7 +317,7 @@ private String getDoco(Element en) { } private void load() throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(false); DocumentBuilder builder = factory.newDocumentBuilder(); Document doc = builder.parse(ManagedFileAccess.inStream("C:\\work\\projects\\org.hl7.v3.dt\\iso\\iso-21090-datatypes.xsd"));
org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/LoincToDEConvertor.java+1 −1 modified@@ -148,7 +148,7 @@ private void log(String string) { } private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder();
org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java+1 −1 modified@@ -78,7 +78,7 @@ public XmlParser(IWorkerContext context) { public Element parse(InputStream stream) throws Exception { Document doc = null; try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); // xxe protection factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/ICPC2Importer.java+1 −1 modified@@ -116,7 +116,7 @@ public void setTargetFileNameVS(String targetFileName) { } public void go() throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(false); DocumentBuilder builder = factory.newDocumentBuilder(); Document doc = builder.parse(ManagedFileAccess.inStream(sourceFileName));
org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/LoincToDEConvertor.java+1 −1 modified@@ -162,7 +162,7 @@ private void log(String string) { } private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder();
org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/DigitalSignatures.java+2 −1 modified@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import javax.xml.parsers.ParserConfigurationException; import org.hl7.fhir.exceptions.FHIRException; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.hl7.fhir.utilities.xml.XmlGenerator; import org.w3c.dom.Document; import org.xml.sax.SAXException; @@ -73,7 +74,7 @@ public static void main(String[] args) throws SAXException, IOException, ParserC // byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes(); // load the document that's going to be signed - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(inputXml));
org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/Translations.java+1 −1 modified@@ -70,7 +70,7 @@ public void setLang(String lang) { */ public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); loadMessages(builder.parse(new CSFileInputStream(filename))); }
org.hl7.fhir.dstu2016may/src/test/java/org/hl7/fhir/dstu2016may/test/TestingUtilities.java+2 −1 modified@@ -17,6 +17,7 @@ import org.hl7.fhir.utilities.Utilities; import org.hl7.fhir.utilities.filesystem.CSFile; import org.hl7.fhir.utilities.filesystem.ManagedFileAccess; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; @@ -145,7 +146,7 @@ private static Node skipBlankText(Node node) { } private static Document loadXml(String fn) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/terminologies/LoincToDEConvertor.java+1 −1 modified@@ -162,7 +162,7 @@ private void log(String string) { } private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder();
org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/DigitalSignatures.java+2 −1 modified@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import javax.xml.parsers.ParserConfigurationException; import org.hl7.fhir.exceptions.FHIRException; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.hl7.fhir.utilities.xml.XmlGenerator; import org.w3c.dom.Document; import org.xml.sax.SAXException; @@ -73,7 +74,7 @@ public static void main(String[] args) // byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes(); // load the document that's going to be signed - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(inputXml));
org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/Translations.java+1 −1 modified@@ -70,7 +70,7 @@ public void setLang(String lang) { */ public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); loadMessages(builder.parse(new CSFileInputStream(filename))); }
org.hl7.fhir.dstu2/src/test/java/org/hl7/fhir/dstu2/test/TestingUtilities.java+2 −1 modified@@ -17,6 +17,7 @@ import org.hl7.fhir.utilities.Utilities; import org.hl7.fhir.utilities.filesystem.CSFile; import org.hl7.fhir.utilities.filesystem.ManagedFileAccess; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; @@ -145,7 +146,7 @@ private static Node skipBlankText(Node node) { } private static Document loadXml(String fn) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java+1 −1 modified@@ -97,7 +97,7 @@ public void setAllowXsiLocation(boolean allowXsiLocation) { public Element parse(InputStream stream) throws FHIRFormatError, DefinitionException, FHIRException, IOException { Document doc = null; try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); // xxe protection factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/terminologies/LoincToDEConvertor.java+1 −1 modified@@ -154,7 +154,7 @@ private void log(String string) { } private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder();
org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/DigitalSignatures.java+2 −1 modified@@ -62,6 +62,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import javax.xml.parsers.ParserConfigurationException; import org.hl7.fhir.exceptions.FHIRException; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.hl7.fhir.utilities.xml.XmlGenerator; import org.w3c.dom.Document; import org.xml.sax.SAXException; @@ -74,7 +75,7 @@ public static void main(String[] args) throws SAXException, IOException, ParserC // byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes(); // load the document that's going to be signed - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(inputXml));
org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/Translations.java+29 −29 modified@@ -1,33 +1,33 @@ package org.hl7.fhir.dstu3.utils; -/* - Copyright (c) 2011+, HL7, Inc. - All rights reserved. - - Redistribution and use in source and binary forms, with or without modification, - are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - * Neither the name of HL7 nor the names of its contributors may be used to - endorse or promote products derived from this software without specific - prior written permission. - - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - - */ +/* + Copyright (c) 2011+, HL7, Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without modification, + are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * Neither the name of HL7 nor the names of its contributors may be used to + endorse or promote products derived from this software without specific + prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + */ @@ -71,7 +71,7 @@ public void setLang(String lang) { * @throws Exception */ public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); loadMessages(builder.parse(new CSFileInputStream(filename))); }
org.hl7.fhir.dstu3/src/test/java/org/hl7/fhir/dstu3/test/support/TestingUtilities.java+2 −1 modified@@ -20,6 +20,7 @@ import org.hl7.fhir.utilities.filesystem.CSFile; import org.hl7.fhir.utilities.filesystem.ManagedFileAccess; import org.hl7.fhir.utilities.tests.BaseTestingUtilities; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; @@ -176,7 +177,7 @@ private static Document loadXml(String fn) throws Exception { } private static Document loadXml(InputStream fn) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java+1 −1 modified@@ -111,7 +111,7 @@ public List<NamedElement> parse(InputStream stream) List<NamedElement> res = new ArrayList<>(); Document doc = null; try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); // xxe protection factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/LoincToDEConvertor.java+1 −1 modified@@ -156,7 +156,7 @@ private void log(String string) { } private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder();
org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/test/utils/TestingUtilities.java+2 −1 modified@@ -23,6 +23,7 @@ import org.hl7.fhir.utilities.npm.FilesystemPackageCacheManager; import org.hl7.fhir.utilities.tests.BaseTestingUtilities; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; @@ -269,7 +270,7 @@ private static Document loadXml(String fn) throws Exception { } private static Document loadXml(InputStream fn) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/DigitalSignatures.java+2 −1 modified@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import org.hl7.fhir.utilities.Utilities; import org.hl7.fhir.utilities.filesystem.ManagedFileAccess; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.hl7.fhir.utilities.xml.XmlGenerator; import org.w3c.dom.Document; @@ -88,7 +89,7 @@ public static void main(String[] args) throws Exception { // byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes(); // load the document that's going to be signed - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(inputXml));
org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/Translations.java+1 −1 modified@@ -70,7 +70,7 @@ public void setLang(String lang) { */ public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); loadMessages(builder.parse(new CSFileInputStream(filename))); }
org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java+1 −1 modified@@ -96,7 +96,7 @@ public void setAllowXsiLocation(boolean allowXsiLocation) { public Element parse(InputStream stream) throws FHIRFormatError, DefinitionException, FHIRException, IOException { Document doc = null; try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); // xxe protection factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/terminologies/LoincToDEConvertor.java+1 −1 modified@@ -156,7 +156,7 @@ private void log(String string) { } private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder();
org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/test/utils/TestingUtilities.java+2 −1 modified@@ -59,6 +59,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import org.hl7.fhir.utilities.tests.BaseTestingUtilities; import org.hl7.fhir.utilities.tests.ResourceLoaderTests; import org.hl7.fhir.utilities.tests.TestConfig; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; @@ -256,7 +257,7 @@ private static Document loadXml(String fn) throws Exception { } private static Document loadXml(InputStream fn) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/DigitalSignatures.java+2 −1 modified@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import org.hl7.fhir.utilities.Utilities; import org.hl7.fhir.utilities.filesystem.ManagedFileAccess; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.hl7.fhir.utilities.xml.XmlGenerator; import org.w3c.dom.Document; @@ -88,7 +89,7 @@ public static void main(String[] args) throws Exception { // byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes(); // load the document that's going to be signed - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(inputXml));
org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/Translations.java+1 −1 modified@@ -70,7 +70,7 @@ public void setLang(String lang) { */ public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); loadMessages(builder.parse(new CSFileInputStream(filename))); }
org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java+1 −1 modified@@ -126,7 +126,7 @@ public List<ValidatedFragment> parse(InputStream inStream) throws FHIRFormatErro ByteArrayInputStream stream = new ByteArrayInputStream(content); Document doc = null; try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); // xxe protection factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/test/utils/CompareUtilities.java+2 −1 modified@@ -15,6 +15,7 @@ import org.hl7.fhir.utilities.json.model.JsonProperty; import org.hl7.fhir.utilities.json.parser.JsonParser; import org.hl7.fhir.utilities.settings.FhirSettings; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; @@ -204,7 +205,7 @@ private Document loadXml(String fn) throws Exception { } private Document loadXml(InputStream fn) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/DigitalSignatures.java+2 −1 modified@@ -62,6 +62,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import org.hl7.fhir.utilities.Utilities; import org.hl7.fhir.utilities.filesystem.ManagedFileAccess; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.hl7.fhir.utilities.xml.XmlGenerator; import org.w3c.dom.Document; @@ -91,7 +92,7 @@ public static void main(String[] args) throws Exception { // byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes(); // load the document that's going to be signed - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory(); dbf.setNamespaceAware(true); DocumentBuilder builder = dbf.newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(inputXml));
org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/Translations.java+29 −29 modified@@ -1,33 +1,33 @@ package org.hl7.fhir.r5.utils; -/* - Copyright (c) 2011+, HL7, Inc. - All rights reserved. - - Redistribution and use in source and binary forms, with or without modification, - are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - * Neither the name of HL7 nor the names of its contributors may be used to - endorse or promote products derived from this software without specific - prior written permission. - - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - - */ +/* + Copyright (c) 2011+, HL7, Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without modification, + are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * Neither the name of HL7 nor the names of its contributors may be used to + endorse or promote products derived from this software without specific + prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + */ @@ -71,7 +71,7 @@ public void setLang(String lang) { * @throws Exception */ public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); loadMessages(builder.parse(new CSFileInputStream(filename))); }
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/TranslatorXml.java+1 −1 modified@@ -69,7 +69,7 @@ public TranslatorXml(String filename) throws ParserConfigurationException, SAXEx private void load(String filename) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(false); DocumentBuilder builder = factory.newDocumentBuilder(); Document xml = builder.parse(ManagedFileAccess.file(filename));
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java+1 −1 modified@@ -221,7 +221,7 @@ private void check(boolean test, String message) throws FHIRException { private Document parseXml(InputStream in) throws FHIRException, ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder(); return builder.parse(in);
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlParser.java+29 −29 modified@@ -1,33 +1,33 @@ package org.hl7.fhir.utilities.xls; -/* - Copyright (c) 2011+, HL7, Inc. - All rights reserved. - - Redistribution and use in source and binary forms, with or without modification, - are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - * Neither the name of HL7 nor the names of its contributors may be used to - endorse or promote products derived from this software without specific - prior written permission. - - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - - */ +/* + Copyright (c) 2011+, HL7, Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without modification, + are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * Neither the name of HL7 nor the names of its contributors may be used to + endorse or promote products derived from this software without specific + prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + */ @@ -166,7 +166,7 @@ public XLSXmlParser(InputStream in, String name) throws FHIRException { private Document parseXml(InputStream in) throws FHIRException { try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder(); return builder.parse(in);
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java+13 −7 modified@@ -32,7 +32,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import java.io.ByteArrayInputStream; -import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; @@ -437,28 +436,28 @@ public static boolean hasNamedChild(Element e, String name) { } public static Document parseToDom(String content) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(false); DocumentBuilder builder = factory.newDocumentBuilder(); return builder.parse(new ByteArrayInputStream(content.getBytes())); } public static Document parseToDom(byte[] content) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(false); DocumentBuilder builder = factory.newDocumentBuilder(); return builder.parse(new ByteArrayInputStream(content)); } public static Document parseToDom(byte[] content, boolean ns) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(ns); DocumentBuilder builder = factory.newDocumentBuilder(); return builder.parse(new ByteArrayInputStream(content)); } public static Document parseFileToDom(String filename) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(false); DocumentBuilder builder = factory.newDocumentBuilder(); FileInputStream fs = ManagedFileAccess.inStream(filename); @@ -470,7 +469,7 @@ public static Document parseFileToDom(String filename) throws ParserConfiguratio } public static Document parseFileToDom(String filename, boolean ns) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setNamespaceAware(ns); DocumentBuilder builder = factory.newDocumentBuilder(); FileInputStream fs = ManagedFileAccess.inStream(filename); @@ -503,12 +502,19 @@ public static String getNamedChildAttribute(Element element, String name, String } public static TransformerFactory newXXEProtectedTransformerFactory() { - TransformerFactory transformerFactory = TransformerFactory.newInstance(); + final TransformerFactory transformerFactory = TransformerFactory.newInstance(); transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); return transformerFactory; } + public static DocumentBuilderFactory newXXEProtectedDocumentBuilderFactory() throws ParserConfigurationException { + final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); + documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + documentBuilderFactory.setXIncludeAware(false); + return documentBuilderFactory; + } + public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException { TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/ValidatorUtils.java+2 −1 modified@@ -37,6 +37,7 @@ import org.hl7.fhir.utilities.filesystem.ManagedFileAccess; import org.hl7.fhir.utilities.i18n.I18nConstants; import org.hl7.fhir.utilities.validation.ValidationMessage; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.hl7.fhir.validation.cli.utils.AsteriskFilter; import org.hl7.fhir.validation.cli.utils.Common; import org.w3c.dom.Document; @@ -115,7 +116,7 @@ public static BaseLoaderR5 loaderForVersion(String version, ILoaderKnowledgeProv } protected static Document parseXml(byte[] cnt) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); // xxe protection factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
org.hl7.fhir.validation/src/test/java/org/hl7/fhir/conversion/tests/UtilitiesXTests.java+2 −1 modified@@ -64,6 +64,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS import org.hl7.fhir.utilities.filesystem.CSFile; import org.hl7.fhir.utilities.filesystem.ManagedFileAccess; import org.hl7.fhir.utilities.npm.FilesystemPackageCacheManager; +import org.hl7.fhir.utilities.xml.XMLUtil; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; @@ -277,7 +278,7 @@ private static Document loadXml(String fn) throws Exception { } private static Document loadXml(InputStream fn) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.