SecureXmlParsing: log failures (#5672)

maltek · web-flow · commit 2a9f2e55def2 · 2025-10-08T14:39:05.000+02:00
* SecureXmlParsing: log failures

we have a diverged copy of this class in codescience that I'd like to
get rid of

* also add FEATURE_SECURE_PROCESSING for good measure
diff --git a/joern-cli/frontends/csharpsrc2cpg/src/main/scala/io/joern/csharpsrc2cpg/passes/DependencyPass.scala b/joern-cli/frontends/csharpsrc2cpg/src/main/scala/io/joern/csharpsrc2cpg/passes/DependencyPass.scala
@@ -1,6 +1,6 @@
 package io.joern.csharpsrc2cpg.passes
 
-import io.joern.semanticcpg.utils.SecureXmlParsing
+import io.shiftleft.semanticcpg.utils.SecureXmlParsing
 import io.shiftleft.semanticcpg.utils.FileUtil.*
 import io.shiftleft.codepropertygraph.generated.Cpg
 import io.shiftleft.codepropertygraph.generated.nodes.NewDependency
diff --git a/joern-cli/frontends/csharpsrc2cpg/src/main/scala/io/joern/csharpsrc2cpg/utils/ImplicitUsingsCollector.scala b/joern-cli/frontends/csharpsrc2cpg/src/main/scala/io/joern/csharpsrc2cpg/utils/ImplicitUsingsCollector.scala
@@ -1,7 +1,6 @@
 package io.joern.csharpsrc2cpg.utils
 
-import io.joern.semanticcpg.utils.SecureXmlParsing
-
+import io.shiftleft.semanticcpg.utils.SecureXmlParsing
 import io.shiftleft.semanticcpg.utils.FileUtil.*
 
 import java.nio.file.Paths
diff --git a/querydb/src/main/scala/io/joern/scanners/android/Misconfigurations.scala b/querydb/src/main/scala/io/joern/scanners/android/Misconfigurations.scala
@@ -20,7 +20,7 @@ object Misconfigurations extends QueryBundle {
           |""".stripMargin,
       score = 3,
       withStrRep({ cpg =>
-        import io.joern.semanticcpg.utils.SecureXmlParsing
+        import io.shiftleft.semanticcpg.utils.SecureXmlParsing
 
         val androidUri = "http://schemas.android.com/apk/res/android"
         cpg.configFile
diff --git a/semanticcpg/src/main/scala/io/shiftleft/semanticcpg/language/android/ConfigFileTraversal.scala b/semanticcpg/src/main/scala/io/shiftleft/semanticcpg/language/android/ConfigFileTraversal.scala
@@ -1,6 +1,6 @@
 package io.shiftleft.semanticcpg.language.android
 
-import io.joern.semanticcpg.utils.SecureXmlParsing
+import io.shiftleft.semanticcpg.utils.SecureXmlParsing
 import io.shiftleft.codepropertygraph.generated.nodes.ConfigFile
 import io.shiftleft.semanticcpg.language.*
 
diff --git a/semanticcpg/src/main/scala/io/shiftleft/semanticcpg/utils/SecureXmlParsing.scala b/semanticcpg/src/main/scala/io/shiftleft/semanticcpg/utils/SecureXmlParsing.scala
@@ -1,7 +1,10 @@
-package io.joern.semanticcpg.utils
+package io.shiftleft.semanticcpg.utils
 
+import org.slf4j.{Logger, LoggerFactory}
+
+import javax.xml.XMLConstants
 import javax.xml.parsers.SAXParserFactory
-import scala.util.Try
+import scala.util.{Failure, Success, Try}
 import scala.xml.{Elem, XML}
 
 object SecureXmlParsing {
@@ -18,8 +21,16 @@ object SecureXmlParsing {
       spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
       spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
       spf.setFeature("http://xml.org/sax/features/external-general-entities", false)
+      spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
 
       XML.withSAXParser(spf.newSAXParser()).loadString(content)
-    }.toOption
+    } match {
+      case Success(elem) => Some(elem)
+      case Failure(exception) =>
+        logger.warn(s"Error creating XML secure parser: ${exception.getMessage}")
+        None
+    }
   }
+
+  private val logger: Logger = LoggerFactory.getLogger(classOf[SecureXmlParsing.type])
 }
