Skip to content

No Jira: Disable DTD when Parsing XML#540

Merged
mikejritter merged 1 commit into
collectionspace:mainfrom
mikejritter:task/cherry-pick-5ecf54a
Jun 4, 2026
Merged

No Jira: Disable DTD when Parsing XML#540
mikejritter merged 1 commit into
collectionspace:mainfrom
mikejritter:task/cherry-pick-5ecf54a

Conversation

@mikejritter
Copy link
Copy Markdown
Contributor

@mikejritter mikejritter commented Jun 3, 2026
edited
Loading

What does this do?
This cherry picks commit 5ecf54a into main

Why are we doing this? (with JIRA link)
No jira. This disables the Doctype declaration on XML preventing external entities from being loaded.

How should this be tested? Do these changes have associated tests?

  • Rebuild and start
    • Reminder: this is the current release which uses JDK 8
  • Try to POST or PUT to the collectionspace API with XML that includes a doctype declaration, e.g.
<?xml version="1.0"?>
<!DOCTYPE document []>
<document>
  <ns2:collectionobjects_common xmlns:ns2="http://collectionspace.org/services/collectionobject">
    <objectNumber>2027.0.1</objectNumber>
  </ns2:collectionobjects_common>
</document>
  • See that server rejects the request

Dependencies for merging? Releasing to production?
This includes the version bump for 8.3.1 so maybe #538 should be merged first. We might also want to create a ticket for creating tests for this. Although the manual check is fine, something more comprehensive would probably be good.

Has the application documentation been updated for these changes?
No

Did someone actually run this code to verify it works?
@mikejritter tested locally

Have any new security vulnerabilities been handled?
This handles the same vuln from #535

@mikejritter
Disable DTD when parsing XML
d223cb8 
# Conflicts:
#	services/client/src/main/java/org/collectionspace/services/client/PoxPayload.java
#	services/common-http/src/main/java/org/collectionspace/services/common/provider/JakartaJAXBProvider.java
@mikejritter mikejritter requested a review from spirosdi June 3, 2026 20:41
spirosdi
spirosdi approved these changes Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@spirosdi spirosdi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Also tested locally and works as expected

@spirosdi
Copy link
Copy Markdown
Contributor

spirosdi commented Jun 4, 2026

Let us release the 8.3.1 without the #538 . Those changes are not really necessary for lyrasis hosted clients. Their dependency resolution is handled in a completely different way (through the plugin version map file) and they are already updated.

Let us release the #538 as a next patch release mainly for self-hosted clients and demo/qa sites. Actually for the self hosted ones we only need to tag and release in github. I think this is also valid for demo/qa environments as they actually download the ui dependencies from github. In any case I think it is safer to release the #538 separately as it is not that high prio and it is better not to delay the current PR updates because of any #538 implications.

@spirosdi spirosdi mentioned this pull request Jun 4, 2026
Merged
@mikejritter mikejritter merged commit 96a0044 into collectionspace:main Jun 4, 2026
@mikejritter mikejritter deleted the task/cherry-pick-5ecf54a branch June 4, 2026 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spirosdi spirosdi spirosdi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mikejritter @spirosdi