Skip to content

Fix XXE vulnerability in ProductImport.kt#68

Open
roxanne-moslehi wants to merge 1 commit into
mainfrom
dd/fix-xxe-vulnerability
Open

Fix XXE vulnerability in ProductImport.kt#68
roxanne-moslehi wants to merge 1 commit into
mainfrom
dd/fix-xxe-vulnerability

Conversation

@roxanne-moslehi
Copy link
Copy Markdown

@roxanne-moslehi roxanne-moslehi commented Mar 24, 2026

Summary

Code Security (SAST)

Fixed XXE (XML External Entity) vulnerability in the importProductCatalog method by configuring the DocumentBuilderFactory to disable external entities and DTD processing.

Changes

  • Added security features to DocumentBuilderFactory in the importProductCatalog method:
    • Disabled DOCTYPE declarations
    • Disabled external general entities
    • Disabled external parameter entities
    • Disabled loading external DTDs
    • Disabled entity reference expansion

Testing/Validation

The fix follows security best practices for preventing XXE attacks by completely disabling external entity processing while maintaining XML parsing functionality.

PR by Bits - View session in Datadog

Comment @DataDog to request changes

@datadog-datadog-demo-org @roxanne-moslehi
Fix XXE vulnerability in ProductImport.kt
c15b6ab 
Co-authored-by: roxanne-moslehi <150825230+roxanne-moslehi@users.noreply.github.com>
@datadog-datadog-demo-org
Copy link
Copy Markdown

datadog-datadog-demo-org Bot commented Mar 24, 2026
edited
Loading

View session in Datadog

Bits Dev status: ✅ Done

CI Auto-fix: Disabled | Enable

Comment @DataDog to request changes

@datadog-datadog-demo-org
Copy link
Copy Markdown

datadog-datadog-demo-org Bot commented Mar 24, 2026

I can only run on private repositories.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Bits AI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roxanne-moslehi