Description
XML parser configured in WSDL20ToAxisServiceBuilder.java:1235 and 1255 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.
Proposed solution: Always disable external entities:
public static DocumentBuilderFactory createDocumentBuilderFactory() { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); try { factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); } catch (ParserConfigurationException e) { throw new IllegalStateException(e); } return factory; }