Skip to content

chore(deps): update assertj.version [security]#221

Open
ZxBot wants to merge 2 commits into
develfrom
renovate/assertj.version
Open

chore(deps): update assertj.version [security]#221
ZxBot wants to merge 2 commits into
develfrom
renovate/assertj.version

Conversation

@ZxBot

@ZxBot ZxBot commented Jan 27, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
org.assertj:assertj-core (source) 3.27.63.27.7 age confidence

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

CVE-2026-24400 / GHSA-rqfh-9r24-8c9r

More information

Details

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

  • isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
  • xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter
Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

  • Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
  • Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
  • Cause Denial of Service via "Billion Laughs" entity expansion attacks
Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

  1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
  2. Upgrade to version 3.27.7, or
  3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (in timezone Europe/Rome)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@ZxBot ZxBot force-pushed the renovate/assertj.version branch 3 times, most recently from 89fb7a9 to 1534dac Compare February 13, 2026 03:29
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 2 times, most recently from 245ee93 to 88c9903 Compare February 23, 2026 03:03
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 2 times, most recently from e11313c to 068e0bf Compare February 25, 2026 03:07
@ZxBot ZxBot force-pushed the renovate/assertj.version branch from 068e0bf to 711d3af Compare March 10, 2026 03:10
@ZxBot ZxBot force-pushed the renovate/assertj.version branch from 711d3af to 545cb73 Compare March 25, 2026 11:27
@ZxBot ZxBot changed the title chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security] chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security] - autoclosed Mar 27, 2026
@ZxBot ZxBot closed this Mar 27, 2026
@ZxBot ZxBot deleted the renovate/assertj.version branch March 27, 2026 03:30
@ZxBot ZxBot changed the title chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security] - autoclosed chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security] Mar 31, 2026
@ZxBot ZxBot reopened this Mar 31, 2026
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 2 times, most recently from 545cb73 to 2efa881 Compare March 31, 2026 03:18
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 2 times, most recently from 7155948 to e210fb5 Compare April 15, 2026 03:07
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 4 times, most recently from b721943 to f8f958b Compare April 23, 2026 20:05
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 3 times, most recently from a72128e to 80755e9 Compare May 1, 2026 03:07
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 2 times, most recently from 6dc3d79 to c5eaffa Compare May 6, 2026 03:32
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 3 times, most recently from 5110fb0 to 0ace9a3 Compare May 12, 2026 03:23
@ZxBot ZxBot force-pushed the renovate/assertj.version branch 3 times, most recently from 5c45b19 to eba09dd Compare June 1, 2026 03:06
@ZxBot ZxBot changed the title chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security] chore(deps): update assertj.version to v3.27.7 [security] Jun 3, 2026
@ZxBot ZxBot force-pushed the renovate/assertj.version branch from eba09dd to 5f793e9 Compare June 3, 2026 03:04
@ZxBot ZxBot force-pushed the renovate/assertj.version branch from 5f793e9 to d74b38d Compare June 13, 2026 00:16
@ZxBot ZxBot changed the title chore(deps): update assertj.version to v3.27.7 [security] chore(deps): update assertj.version [security] Jun 19, 2026
@ZxBot ZxBot force-pushed the renovate/assertj.version branch from d74b38d to c240d0d Compare June 20, 2026 00:42
@sonarqube-zextras

Copy link
Copy Markdown

Passed Quality Gate passed

Issues

Measures

Project ID: com.zextras.carbonio.files:carbonio-files-ce

View in SonarQube

@M0Rf30 M0Rf30 force-pushed the devel branch 3 times, most recently from cd8e618 to 0d60732 Compare June 22, 2026 22:22
@ZxBot

ZxBot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants