feat/CUS-12079-Added class to update the given xml file#377
Conversation
📝 WalkthroughWalkthroughThe PR updates the Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@update_xml/src/main/java/com/testsigma/addons/web/UpdatexmlInGivenFile.java`:
- Line 54: The logger.info call in UpdatexmlInGivenFile (the line that logs
filePath, tagName, index, attributeName, attributeValue) exposes sensitive data;
change it to only log non-sensitive metadata (e.g., tagName and index) and
either omit or mask filePath and attributeValue (for example replace with
"<redacted>" or show only length/hashed form), while keeping attributeName if
non-sensitive; update the message in the logger.info invocation accordingly so
sensitive values are not written to INFO logs.
- Around line 63-65: Harden XML parsing and transformation to prevent XXE: when
creating DocumentBuilderFactory/DocumentBuilder (symbols:
DocumentBuilderFactory, DocumentBuilder, Document) set/disallow DOCTYPE and
external entity features (e.g., disable DOCTYPE,
setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true),
setExpandEntityReferences(false), setXIncludeAware(false)) and install a no-op
EntityResolver on the DocumentBuilder to block external entities before calling
parse; similarly, when creating TransformerFactory/Transformer (symbols:
TransformerFactory, Transformer) enable secure processing and disable external
access to files and DTDs (use FEATURE_SECURE_PROCESSING and provider-specific
attributes for external access) so external entity resolution and external
resource access are prevented.
In
`@update_xml/src/main/java/com/testsigma/addons/web/UpdateXmlInGivenFileWithNewData.java`:
- Line 53: The logger.info in UpdateXmlInGivenFileWithNewData is emitting
sensitive payloads (oldValue/newValue); change the log to omit or mask those
values by logging only non-sensitive context (e.g., filePath, tagName,
targetIndex) and either remove oldValue/newValue from the message or replace
them with a redacted placeholder like "<REDACTED>" or their lengths; update the
invocation of logger.info (referencing logger.info, filePath, tagName, oldValue,
newValue, targetIndex) accordingly so no raw XML content is written at INFO
level.
- Around line 62-64: Update the XML parser and transformer to disable external
entity resolution: configure the DocumentBuilderFactory (used to create
DocumentBuilder and parse in UpdateXmlInGivenFileWithNewData) by setting
XMLConstants.FEATURE_SECURE_PROCESSING to true and setting ACCESS_EXTERNAL_DTD
and ACCESS_EXTERNAL_SCHEMA to empty strings before calling
newDocumentBuilder/parse; likewise configure the TransformerFactory instance
(used later to create Transformer) to enable FEATURE_SECURE_PROCESSING and set
ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to "" before creating the
Transformer so XXE/external resource access is blocked.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: dc3a45d1-9373-4c6f-9778-2df2fec844e7
📒 Files selected for processing (5)
update_xml/pom.xmlupdate_xml/src/main/java/com/testsigma/addons/web/UpdateXmlInGivenFileWithNewData.javaupdate_xml/src/main/java/com/testsigma/addons/web/UpdateXmlWithNewData.javaupdate_xml/src/main/java/com/testsigma/addons/web/Updatexml.javaupdate_xml/src/main/java/com/testsigma/addons/web/UpdatexmlInGivenFile.java
| String attributeName = testData4.getValue().toString(); | ||
| String attributeValue = testData5.getValue().toString(); | ||
|
|
||
| logger.info("Parameters - filepath: " + filePath + ", tagname: " + tagName + ", index: " + index + ", attributename: " + attributeName + ", attributevalue: " + attributeValue); |
There was a problem hiding this comment.
Avoid logging raw XML values and file paths at INFO.
This log line can leak sensitive data (filepath, attributevalue) into centralized logs. Log only non-sensitive metadata (e.g., tag + index) or mask values.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@update_xml/src/main/java/com/testsigma/addons/web/UpdatexmlInGivenFile.java`
at line 54, The logger.info call in UpdatexmlInGivenFile (the line that logs
filePath, tagName, index, attributeName, attributeValue) exposes sensitive data;
change it to only log non-sensitive metadata (e.g., tagName and index) and
either omit or mask filePath and attributeValue (for example replace with
"<redacted>" or show only length/hashed form), while keeping attributeName if
non-sensitive; update the message in the logger.info invocation accordingly so
sensitive values are not written to INFO logs.
| DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); | ||
| DocumentBuilder docBuilder = docFactory.newDocumentBuilder(); | ||
| Document doc = docBuilder.parse(inputFile); |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -type f -name "UpdatexmlInGivenFile.java" 2>/dev/nullRepository: testsigmahq/testsigma-addons
Length of output: 1887
🏁 Script executed:
git ls-files | grep -i updatexmlRepository: testsigmahq/testsigma-addons
Length of output: 1887
🌐 Web query:
Java XXE XXE vulnerability DocumentBuilderFactory secure processing best practices OWASP
💡 Result:
To prevent XXE vulnerabilities in Java's DocumentBuilderFactory, follow these OWASP and Oracle-recommended best practices: 1. Enable Feature for Secure Processing (FSP): DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance; factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); This enforces processing limits, disables external entity resolution, and restricts other risky features. Note: In recent JDKs (e.g., Java 21+), FSP is enabled by default for DOM/SAX parsers, but explicit setting is recommended for external access restrictions. 2. Explicitly restrict external access: factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); The empty string "" disallows all external access; use "file" or others for limited local access if needed. 3. Disable DTD processing (primary defense per OWASP): factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); This prevents most XXE attacks by blocking DOCTYPE declarations entirely. Additional hardening (from OWASP and Oracle): - factory.setFeature("http://xml.org/sax/features/external-general-entities", false); - factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - factory.setXIncludeAware(false); - factory.setExpandEntityReferences(false); Use DocumentBuilderFactory.newDefaultInstance in Java 9+ for safer defaults. Catch ParserConfigurationException when setting features/attributes. For complete security, combine FSP with external access restrictions and DTD disable. Test for application impact, as disabling DTDs may break validation relying on external schemas. Example full secure factory: DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance; dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder db = dbf.newDocumentBuilder;
Citations:
- 1: https://docs.oracle.com/en/java/javase/24/security/java-api-xml-processing-jaxp-security-guide.html
- 2: https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html
- 3: https://deepsource.com/directory/java/issues/JAVA-A1052
- 4: https://semgrep.dev/docs/cheat-sheets/java-xxe
- 5: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- 6: https://docs.oracle.com/en/java/javase/26/security/java-api-xml-processing-jaxp-security-guide.html
🌐 Web query:
Java XML external entity prevention DocumentBuilderFactory setFeature XMLConstants
💡 Result:
To prevent XML External Entity (XXE) attacks when using DocumentBuilderFactory in Java, configure the factory with specific security features using setFeature from javax.xml.XMLConstants. The primary and most reliable approach is to disable DTD processing and external entities explicitly. Recommended configuration code: import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilder; import javax.xml.XMLConstants; import org.xml.sax.SAXException; import org.w3c.dom.Document; import java.io.InputStream; DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance; try { // PRIMARY defense: Disallow DOCTYPE declarations (prevents most XXE) dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // Disable external general entities dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); // Disable external parameter entities dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // Additional protections dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); // Optional: Enable secure processing (FSP) - limits resources but may not fully block XXE alone dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder db = dbf.newDocumentBuilder; // Use db to parse XML from trusted sources only Document doc = db.parse(inputStream); } catch (Exception e) { // Handle configuration or parsing errors } Key features explained: - http://apache.org/xml/features/disallow-doctype-decl: Blocks DOCTYPE entirely, preventing XXE via external DTDs. - http://xml.org/sax/features/external-general-entities and external-parameter-entities: Disable external entity resolution. - XMLConstants.FEATURE_SECURE_PROCESSING: Enables resource limits (e.g., entity expansion limits for XML bombs), but does not reliably block all XXE; use in combination. For Java 9+, prefer DocumentBuilderFactory.newDefaultInstance for secure defaults, then apply the above features. Additionally, restrict external access globally via system properties or jaxp.properties: javax.xml.accessExternalDTD="" javax.xml.accessExternalSchema="" Parse only trusted XML input. If DTDs are required, implement a custom EntityResolver that rejects external URIs. This configuration is endorsed by OWASP and Oracle JAXP documentation as of Java 26 (2026).
Citations:
- 1: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- 2: https://semgrep.dev/docs/cheat-sheets/java-xxe
- 3: https://stackoverflow.com/questions/26488319/how-to-prevent-xml-injection-like-xml-bomb-and-xxe-attack
- 4: https://stackoverflow.com/questions/56777287/how-to-fix-disable-xml-external-entity-xxe-processing-vulnerabilities-in-jav
- 5: https://docs.oracle.com/en/java/javase/24/security/java-api-xml-processing-jaxp-security-guide.html
- 6: https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html
- 7: https://github.com/nokia/OWASP-CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md
- 8: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaxp/jaxp.html
- 9: https://docs.oracle.com/javase/8/docs/api/javax/xml/parsers/DocumentBuilderFactory.html
- 10: https://docs.oracle.com/en/java/javase/22/docs/api/java.xml/javax/xml/parsers/DocumentBuilderFactory.html
- 11: https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/DocumentBuilderFactory.html
Disable external entity processing in XML factories to prevent XXE attacks.
The DocumentBuilderFactory and TransformerFactory instances are created without security hardening, leaving them vulnerable to XML External Entity (XXE) attacks, which can enable file disclosure, SSRF, and entity expansion (billion laughs) attacks on untrusted input.
🔒 Required hardening
+import javax.xml.XMLConstants;
...
DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+docFactory.setXIncludeAware(false);
+docFactory.setExpandEntityReferences(false);
DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
...
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transformerFactory.newTransformer();Also applies to: lines 81–87
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@update_xml/src/main/java/com/testsigma/addons/web/UpdatexmlInGivenFile.java`
around lines 63 - 65, Harden XML parsing and transformation to prevent XXE: when
creating DocumentBuilderFactory/DocumentBuilder (symbols:
DocumentBuilderFactory, DocumentBuilder, Document) set/disallow DOCTYPE and
external entity features (e.g., disable DOCTYPE,
setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true),
setExpandEntityReferences(false), setXIncludeAware(false)) and install a no-op
EntityResolver on the DocumentBuilder to block external entities before calling
parse; similarly, when creating TransformerFactory/Transformer (symbols:
TransformerFactory, Transformer) enable secure processing and disable external
access to files and DTDs (use FEATURE_SECURE_PROCESSING and provider-specific
attributes for external access) so external entity resolution and external
resource access are prevented.
| String newValue = testData4.getValue().toString(); | ||
| int targetIndex = Integer.parseInt(testData5.getValue().toString()); | ||
|
|
||
| logger.info("Parameters - filepath: " + filePath + ", tagname: " + tagName + ", old_value: " + oldValue + ", new_value: " + newValue + ", index: " + targetIndex); |
There was a problem hiding this comment.
Do not log old_value/new_value at INFO level.
This can expose sensitive XML content. Please mask or omit value payloads in logs.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In
`@update_xml/src/main/java/com/testsigma/addons/web/UpdateXmlInGivenFileWithNewData.java`
at line 53, The logger.info in UpdateXmlInGivenFileWithNewData is emitting
sensitive payloads (oldValue/newValue); change the log to omit or mask those
values by logging only non-sensitive context (e.g., filePath, tagName,
targetIndex) and either remove oldValue/newValue from the message or replace
them with a redacted placeholder like "<REDACTED>" or their lengths; update the
invocation of logger.info (referencing logger.info, filePath, tagName, oldValue,
newValue, targetIndex) accordingly so no raw XML content is written at INFO
level.
| DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); | ||
| DocumentBuilder docBuilder = docFactory.newDocumentBuilder(); | ||
| Document doc = docBuilder.parse(inputFile); |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "UpdateXmlInGivenFileWithNewData.java" -type fRepository: testsigmahq/testsigma-addons
Length of output: 1887
🌐 Web query:
Java JAXP DocumentBuilderFactory XXE vulnerability secure configuration
💡 Result:
To securely configure Java's JAXP DocumentBuilderFactory against XXE (XML External Entity) vulnerabilities, follow these steps based on official Oracle documentation and security best practices. XXE attacks exploit parsers that resolve external entities, potentially leading to data disclosure, SSRF, or DoS. ### Primary Secure Configuration (Recommended for JDK 8+) Use DocumentBuilderFactory.newDefaultInstance or newInstance, then explicitly set security features and attributes. The key is to disable external entity resolution and DTD processing. java import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilder; import javax.xml.XMLConstants; DocumentBuilderFactory factory = DocumentBuilderFactory.newDefaultInstance; // Secure defaults in newer JDKs // Enable Feature Secure Processing (FSP) - enforces limits and disables external access factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); // Restrict external DTD access ("" disables all, "file" allows local files only) factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Optionally restrict external schemas factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); DocumentBuilder builder = factory.newDocumentBuilder; ### Comprehensive Configuration (OWASP-Compatible, Handles Legacy Parsers) For maximum protection, including against XML bombs and when FSP alone isn't sufficient: java DocumentBuilderFactory factory = DocumentBuilderFactory.newDefaultInstance; try { // Disable DTD declaration factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // Disable external general and parameter entities factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // Disable external DTD loading factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); // Additional protections factory.setXIncludeAware(false); factory.setExpandEntityReferences(false); // FSP and access restrictions (JDK 9+ preferred) factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); } catch (Exception e) { // Log and handle unsupported features (parser-specific) } DocumentBuilder builder = factory.newDocumentBuilder; ### Alternative Global Configuration (No Code Changes) Create a jaxp.properties file in $JAVA_HOME/conf/ (JDK 8u251+ / JDK 11+): javax.xml.parsers.DocumentBuilderFactory.http://apache.org/xml/features/disallow-doctype-decl=true javax.xml.parsers.SAXParserFactory.http://apache.org/xml/features/disallow-doctype-decl=true jdk.xml.entityExpansionLimit=1000 # Limits XML bomb Or set system properties: -Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl -Djdk.xml.entityExpansionLimit=1000 ### Key Properties Explained | Property/Feature | Purpose | Value | |------------------|---------|-------| | XMLConstants.FEATURE_SECURE_PROCESSING | Enables secure defaults (entity limits, no external access) | true | | XMLConstants.ACCESS_EXTERNAL_DTD | Restricts DTD fetching | "" (none), "file" (local only) | | disallow-doctype-decl | Blocks DOCTYPE entirely | true | | entityExpansionLimit | Prevents XML bomb (billion laughs) | e.g., 1000 | ### Notes - In JDK 21/24+, FSP is on by default for DOM/SAX but external access still needs explicit restriction. - Always wrap in try-catch for ParserConfigurationException (unsupported features). - Test with XXE payloads; use tools like Semgrep for static analysis. - Avoid processing untrusted XML if possible; prefer JSON. This configuration prevents XXE by blocking external resource resolution while allowing valid XML parsing.
Citations:
- 1: https://docs.oracle.com/en/java/javase/24/security/java-api-xml-processing-jaxp-security-guide.html
- 2: https://semgrep.dev/docs/cheat-sheets/java-xxe
- 3: https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html
- 4: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaxp/jaxp.html
- 5: https://docs.oracle.com/en/java/javase/24/security/java-api-xml-processing-jaxp-security-guide.html?embed=1
- 6: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Disable external XML entity resolution in DocumentBuilderFactory and TransformerFactory.
Both DocumentBuilderFactory.newInstance() (lines 62–64) and TransformerFactory (lines 95–101) use default settings without XXE protections. Configure them with:
XMLConstants.FEATURE_SECURE_PROCESSINGset totrueXMLConstants.ACCESS_EXTERNAL_DTDset to""XMLConstants.ACCESS_EXTERNAL_SCHEMAset to""
This prevents XML External Entity (XXE) injection attacks, which can lead to data disclosure or denial-of-service.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In
`@update_xml/src/main/java/com/testsigma/addons/web/UpdateXmlInGivenFileWithNewData.java`
around lines 62 - 64, Update the XML parser and transformer to disable external
entity resolution: configure the DocumentBuilderFactory (used to create
DocumentBuilder and parse in UpdateXmlInGivenFileWithNewData) by setting
XMLConstants.FEATURE_SECURE_PROCESSING to true and setting ACCESS_EXTERNAL_DTD
and ACCESS_EXTERNAL_SCHEMA to empty strings before calling
newDocumentBuilder/parse; likewise configure the TransformerFactory instance
(used later to create Transformer) to enable FEATURE_SECURE_PROCESSING and set
ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to "" before creating the
Transformer so XXE/external resource access is blocked.
Publish this addon as PUBLIC
Addon Name: UpdateXMLfile
Jarvis Link: https://jarvis.testsigma.com/ui/tenants/2817/addons
Jira : https://testsigma.atlassian.net/browse/CUS-12079
Added class to update the given xml file
Summary by CodeRabbit
Release Notes
New Features
Chores