From 536e74478d676bb58fbb83801ac17abd781b3584 Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Mon, 16 Feb 2026 11:02:10 -0800 Subject: [PATCH 1/3] Improved validation for XML parsing and paths --- .../bootstrap/src/org/labkey/bootstrap/ModuleArchive.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java b/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java index 9a07ff8200..87db24720f 100644 --- a/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java +++ b/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java @@ -71,7 +71,12 @@ private String nameFromModuleXML(InputStream is) throws IOException try { - SAXParser parser = SAXParserFactory.newDefaultInstance().newSAXParser(); + SAXParserFactory factory = SAXParserFactory.newDefaultInstance(); + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + SAXParser parser = factory.newSAXParser(); parser.parse(is, new DefaultHandler() { final ArrayList elementStack = new ArrayList<>(); From 42c4aa57c98bf4415743fbf0bf341d2e0adc4722 Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Mon, 16 Feb 2026 12:52:14 -0800 Subject: [PATCH 2/3] Comments and consistency --- server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java b/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java index 87db24720f..3293b507c9 100644 --- a/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java +++ b/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java @@ -19,6 +19,7 @@ import org.xml.sax.SAXException; import org.xml.sax.helpers.DefaultHandler; +import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; @@ -71,11 +72,13 @@ private String nameFromModuleXML(InputStream is) throws IOException try { + // Keep this in sync with config on XmlBeanUtil.SAX_PARSER_FACTORY. See motiviations in comments there. SAXParserFactory factory = SAXParserFactory.newDefaultInstance(); - factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + SAXParser parser = factory.newSAXParser(); parser.parse(is, new DefaultHandler() { From 3c06ce2d4e43346a25a4ba9c8f80e3620da35e52 Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Mon, 16 Feb 2026 12:53:42 -0800 Subject: [PATCH 3/3] Fix typo --- server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java b/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java index 3293b507c9..b613a1ce51 100644 --- a/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java +++ b/server/bootstrap/src/org/labkey/bootstrap/ModuleArchive.java @@ -72,7 +72,7 @@ private String nameFromModuleXML(InputStream is) throws IOException try { - // Keep this in sync with config on XmlBeanUtil.SAX_PARSER_FACTORY. See motiviations in comments there. + // Keep this in sync with config on XmlBeansUtil.SAX_PARSER_FACTORY. See motiviations in comments there. SAXParserFactory factory = SAXParserFactory.newDefaultInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false);