Cannot disable DTDs with PubMed, so instead disallow external entities & entity expansion

(cherry picked from commit f9614c41a6)
2025-10-07 01:54:22 +00:00 · 2025-04-29 16:57:31 -05:00
parent 6fe9af84bd
commit 90ea371e0b
1 changed files with 3 additions and 1 deletions
--- a/dspace-api/src/main/java/org/dspace/importer/external/pubmed/service/PubmedImportMetadataSourceServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/importer/external/pubmed/service/PubmedImportMetadataSourceServiceImpl.java
@@ -234,8 +234,10 @@ public class PubmedImportMetadataSourceServiceImpl extends AbstractImportMetadat

        try {
            SAXBuilder saxBuilder = new SAXBuilder();
-            saxBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            // Disallow external entities & entity expansion to protect against XXE attacks
+            // (NOTE: We receive errors if we disable all DTDs for PubMed, so this is the best we can do)
            saxBuilder.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            saxBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            Document document = saxBuilder.build(new StringReader(src));
            Element root = document.getRootElement();