Fix SchemaFactory configuration of XML validator

nscuro · nscuro · commit 66161f81f5df · 2025-11-02T20:51:45.000+01:00
Signed-off-by: nscuro &lt;nscuro@protonmail.com&gt;
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ Maven Usage
 <dependency>
     <groupId>org.cyclonedx</groupId>
     <artifactId>cyclonedx-core-java</artifactId>
-    <version>10.1.0</version>
+    <version>11.0.1</version>
 </dependency>
 ```
 
diff --git a/pom.xml b/pom.xml
@@ -23,7 +23,7 @@
     <groupId>org.cyclonedx</groupId>
     <artifactId>cyclonedx-core-java</artifactId>
     <packaging>jar</packaging>
-    <version>11.1.0-SNAPSHOT</version>
+    <version>11.0.1-SNAPSHOT</version>
 
     <name>CycloneDX Core (Java)</name>
     <description>The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.</description>
diff --git a/src/main/java/org/cyclonedx/CycloneDxSchema.java b/src/main/java/org/cyclonedx/CycloneDxSchema.java
@@ -271,6 +271,8 @@ private Schema getXmlSchema16() throws SAXException {
 
   public Schema getXmlSchema(InputStream... inputStreams) throws SAXException {
     final SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+    schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+    schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
     final Source[] schemaFiles = new Source[inputStreams.length];
     for (int i = 0; i < inputStreams.length; i++) {
       schemaFiles[i] = new StreamSource(inputStreams[i]);
diff --git a/src/test/java/org/cyclonedx/parsers/XmlParserTest.java b/src/test/java/org/cyclonedx/parsers/XmlParserTest.java
@@ -18,13 +18,13 @@
  */
 package org.cyclonedx.parsers;
 
+import org.apache.commons.io.IOUtils;
 import org.cyclonedx.Version;
 import org.cyclonedx.model.Bom;
 import org.cyclonedx.model.Component;
 import org.cyclonedx.model.Component.Type;
 import org.cyclonedx.model.Dependency;
 import org.cyclonedx.model.ExternalReference;
-import org.cyclonedx.model.License;
 import org.cyclonedx.model.LicenseChoice;
 import org.cyclonedx.model.OrganizationalEntity;
 import org.cyclonedx.model.Pedigree;
@@ -65,14 +65,25 @@
 import org.cyclonedx.model.license.Acknowledgement;
 import org.cyclonedx.model.license.Expression;
 import org.junit.jupiter.api.Test;
+
 import java.io.File;
+import java.io.InputStream;
+import java.net.ServerSocket;
+import java.net.Socket;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Collectors;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -746,4 +757,48 @@ public void testIssue492Regression() throws Exception {
         final Bom bom = getXmlBom("regression/issue492.xml");
         assertEquals(2, bom.getMetadata().getTools().size());
     }
+
+    @Test
+    void validateShouldNotBeVulnerableToXxe() throws Exception {
+        final byte[] bomBytes;
+        try (final InputStream bomInputStream = getClass().getResourceAsStream("/security/xxe-protection.xml")) {
+            assertNotNull(bomInputStream);
+            bomBytes = IOUtils.toByteArray(bomInputStream);
+        }
+
+        // To verify that the validation not only doesn't fail,
+        // but also doesn't cause any unintended side effects,
+        // open a TCP socket on the port referenced in the
+        // XML file. Verify that once validation completes,
+        // no connection attempt has been made.
+
+        final CountDownLatch countDownLatch = new CountDownLatch(1);
+        final AtomicBoolean receivedConnection = new AtomicBoolean(false);
+
+        final ExecutorService executor = Executors.newSingleThreadExecutor();
+        try (final ServerSocket serverSocket = new ServerSocket(1010)) {
+            executor.submit((Callable<Void>) () -> {
+                countDownLatch.countDown();
+
+                // Blocks until either a connection is received,
+                // or the socket is closed.
+                final Socket socket = serverSocket.accept();
+                receivedConnection.set(true);
+                socket.close();
+                return null;
+            });
+
+            // Wait for the socket to be ready.
+            countDownLatch.await();
+
+            final XmlParser parser = new XmlParser();
+            parser.validate(bomBytes);
+        } finally {
+            executor.shutdownNow();
+            executor.awaitTermination(3, TimeUnit.SECONDS);
+        }
+
+        assertFalse(receivedConnection.get());
+    }
+
 }
