Skip to content

chore: improve XXE attack prevention #2008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
triceo merged 1 commit into from
Jan 9, 2026
Merged

chore: improve XXE attack prevention #2008

triceo merged 1 commit into from
Jan 9, 2026

Conversation

@triceo
Copy link
Collaborator

@triceo triceo commented Jan 9, 2026

Reported by Aikido earlier today.

Copilot AI review requested due to automatic review settings January 9, 2026 09:24
@triceo triceo self-assigned this Jan 9, 2026
@triceo triceo added this to the v1.30.0 milestone Jan 9, 2026
@triceo triceo requested a review from zepfred January 9, 2026 09:26
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request enhances XXE (XML External Entity) attack prevention in the codebase by improving the security configuration of XML parsing components. The changes were triggered by a security report from Aikido.

Key changes:

  • Extracted and centralized secure factory creation methods for XML processing components
  • Strengthened DocumentBuilderFactory configuration to disallow DOCTYPE declarations entirely
  • Consolidated security configurations for TransformerFactory, SchemaFactory, and Validator
  • Modernized code with String.formatted(), var declarations, and record types

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
core/src/main/java/ai/timefold/solver/core/impl/io/jaxb/GenericJaxbIO.java Added secure factory methods with XXE protections, refactored existing code to use them, modernized syntax
core/src/test/java/ai/timefold/solver/core/impl/io/jaxb/GenericJaxbIOTest.java Updated test assertion to match new DOCTYPE disallowance error message
benchmark/src/main/java/ai/timefold/solver/benchmark/impl/xsd/XsdAggregator.java Updated to use new secure factory methods from GenericJaxbIO, modernized syntax

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings January 9, 2026 09:49
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

zepfred
zepfred approved these changes Jan 9, 2026
View reviewed changes
Copy link
Contributor

@zepfred zepfred left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@triceo
chore: improve XXE attack prevention
8e06fef 
Reported by Aikido earlier today.
Copilot AI review requested due to automatic review settings January 9, 2026 12:02
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 9, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
69.7% Coverage on New Code (required ≥ 70%)

See analysis details on SonarQube Cloud

@triceo triceo merged commit 55b928d into TimefoldAI:main Jan 9, 2026
38 of 40 checks passed
@triceo triceo deleted the xxe branch January 9, 2026 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zepfred zepfred zepfred approved these changes

Assignees

@triceo triceo

Labels

None yet

Projects

None yet

Milestone

v1.30.0

Development

Successfully merging this pull request may close these issues.

2 participants

@triceo @zepfred