Add safe XML building and parsing to Script mediator

GDLMadushanka · GDLMadushanka · commit 43ebc1a4c158 · 2026-04-08T07:50:12.000+05:30
Use safe methods from Axis2 and Axiom to build and parse XML inputs in the script mediator.
diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/ExtendedJavaScriptXmlHelper.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/ExtendedJavaScriptXmlHelper.java
@@ -48,7 +48,7 @@ public OMElement toOMElement(Object scriptXML) throws ScriptException {
         } else if (scriptXML instanceof String) {
             try {
                 String xmlString = scriptXML.toString();
-                omElement = AXIOMUtil.stringToOM(xmlString);
+                omElement = AXIOMUtil.stringToOM(xmlString, true);
 
             } catch (XMLStreamException | OMException e) {
                 ScriptException scriptException = new ScriptException("Failed to create OMElement with provided " +
@@ -59,7 +59,7 @@ public OMElement toOMElement(Object scriptXML) throws ScriptException {
         } else if (scriptXML instanceof Document) {
             try {
                 Element element = ((Document) scriptXML).getDocumentElement();
-                omElement = XMLUtils.toOM(element);
+                omElement = XMLUtils.toOM(element, true, true);
             } catch (Exception e) {
                 ScriptException scriptException = new ScriptException("Failed to create OMElement with provided " +
                         "payload");
diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/GraalVMJavaScriptMessageContext.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/GraalVMJavaScriptMessageContext.java
@@ -49,12 +49,11 @@
 import org.apache.synapse.core.SynapseEnvironment;
 import org.apache.synapse.core.axis2.Axis2MessageContext;
 import org.apache.synapse.endpoints.Endpoint;
-import org.apache.xerces.parsers.DOMParser;
+import org.apache.synapse.mediators.bsf.utils.ScriptUtils;
 import org.graalvm.polyglot.Context;
 import org.graalvm.polyglot.Value;
 import org.jaxen.JaxenException;
 import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
 import java.io.ByteArrayInputStream;
@@ -258,13 +257,9 @@ public void setScriptEngine(ScriptEngine scriptEngine) {
      * @return parsed document
      */
     public Document parseXml(String text) throws ScriptException {
-        InputSource sax = new InputSource(new java.io.StringReader(text));
-        DOMParser parser = new DOMParser();
         Document doc;
         try {
-            parser.parse(sax);
-            doc = parser.getDocument();
-            doc.getDocumentElement().normalize();
+            doc = ScriptUtils.parseXml(text);
         } catch (SAXException | IOException e) {
             ScriptException scriptException = new ScriptException("Failed to parse provided xml");
             scriptException.initCause(e);
@@ -281,7 +276,7 @@ public Document parseXml(String text) throws ScriptException {
      * @return parsed document
      */
     public OMElement getParsedOMElement(InputStream stream) {
-        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilder(stream);
+        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilderWithSec(stream);
         return builder.getDocumentElement();
     }
 
diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/JavaScriptXmlHelper.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/JavaScriptXmlHelper.java
@@ -70,7 +70,8 @@ public OMElement toOMElement(Object scriptXML)
         OMElement omElement;
 
         try {
-            omElement = AXIOMUtil.stringToOM((String) ScriptableObject.callMethod(jsXML, "toXMLString", new Object[0]));
+            omElement = AXIOMUtil.stringToOM((String) ScriptableObject.callMethod(jsXML,
+                "toXMLString", new Object[0]), true);
         } catch (XMLStreamException e) {
             throw new ScriptException(e);
         }
diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/NashornJavaScriptMessageContext.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/NashornJavaScriptMessageContext.java
@@ -18,7 +18,7 @@
 
 package org.apache.synapse.mediators.bsf;
 
-import org.apache.xerces.parsers.DOMParser;
+import org.apache.synapse.mediators.bsf.utils.ScriptUtils;
 import org.openjdk.nashorn.api.scripting.ScriptObjectMirror;
 import org.apache.axiom.om.OMAttribute;
 import org.apache.axiom.om.OMElement;
@@ -53,7 +53,6 @@
 import org.apache.synapse.endpoints.Endpoint;
 import org.jaxen.JaxenException;
 import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -235,13 +234,9 @@ public void setScriptEngine(ScriptEngine scriptEngine) {
      * @return parsed document
      */
     public Document parseXml(String text) throws ScriptException {
-        InputSource sax = new InputSource(new java.io.StringReader(text));
-        DOMParser parser = new DOMParser();
         Document doc;
         try {
-            parser.parse(sax);
-            doc = parser.getDocument();
-            doc.getDocumentElement().normalize();
+            doc = ScriptUtils.parseXml(text);
         } catch (SAXException | IOException e) {
             ScriptException scriptException = new ScriptException("Failed to parse provided xml");
             scriptException.initCause(e);
@@ -258,7 +253,7 @@ public Document parseXml(String text) throws ScriptException {
      * @return parsed document
      */
     public OMElement getParsedOMElement(InputStream stream) {
-        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilder(stream);
+        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilderWithSec(stream);
         return builder.getDocumentElement();
     }
 
diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/OpenJDKNashornJavaScriptMessageContext.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/OpenJDKNashornJavaScriptMessageContext.java
@@ -36,11 +36,10 @@
 import org.apache.synapse.core.SynapseEnvironment;
 import org.apache.synapse.core.axis2.Axis2MessageContext;
 import org.apache.synapse.endpoints.Endpoint;
-import org.apache.xerces.parsers.DOMParser;
+import org.apache.synapse.mediators.bsf.utils.ScriptUtils;
 import org.jaxen.JaxenException;
 import org.openjdk.nashorn.api.scripting.ScriptObjectMirror;
 import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
 import javax.script.ScriptEngine;
@@ -241,13 +240,9 @@ public void setScriptEngine(ScriptEngine scriptEngine) {
      * @return parsed document
      */
     public Document parseXml(String text) throws ScriptException {
-        InputSource sax = new InputSource(new java.io.StringReader(text));
-        DOMParser parser = new DOMParser();
         Document doc;
         try {
-            parser.parse(sax);
-            doc = parser.getDocument();
-            doc.getDocumentElement().normalize();
+            doc = ScriptUtils.parseXml(text);
         } catch (SAXException | IOException e) {
             ScriptException scriptException = new ScriptException("Failed to parse provided xml");
             scriptException.initCause(e);
@@ -264,7 +259,7 @@ public Document parseXml(String text) throws ScriptException {
      * @return parsed document
      */
     public OMElement getParsedOMElement(InputStream stream) {
-        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilder(stream);
+        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilderWithSec(stream);
         return builder.getDocumentElement();
     }
 
diff --git a/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/utils/ScriptUtils.java b/modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/utils/ScriptUtils.java
@@ -0,0 +1,47 @@
+/*
+ *  Copyright (c) 2026, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  WSO2 LLC. licenses this file to you under the Apache License,
+ *  Version 2.0 (the "License"); you may not use this file except
+ *  in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.synapse.mediators.bsf.utils;
+
+import java.io.IOException;
+import org.apache.xerces.parsers.DOMParser;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * This class contains secure utility methods to handle XML payloads for the script mediator.
+ */
+public class ScriptUtils {
+
+    public static Document parseXml(String text) throws IOException, SAXException {
+        InputSource sax = new InputSource(new java.io.StringReader(text));
+        DOMParser parser = new DOMParser();
+        // 1. Disable external DTDs completely
+        parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        // 2. Disable external entities (General)
+        parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        // 3. Disable external entities (Parameter)
+        parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        // 4. Ignore external DTDs if they are present
+        parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        parser.parse(sax);
+        Document doc = parser.getDocument();
+        doc.getDocumentElement().normalize();
+        return doc;
+    }
+}
diff --git a/pom.xml b/pom.xml
@@ -1557,8 +1557,8 @@
       <mina.version>2.1.6</mina.version>
       <jms-1.1-spec.version>1.1</jms-1.1-spec.version>
       <!-- Axis2 and its dependencies -->
-      <axis2.version>1.6.1-wso2v124</axis2.version>
-      <axis2.transport.version>2.0.0-wso2v86</axis2.transport.version>
+      <axis2.version>1.6.1-wso2v123</axis2.version>
+      <axis2.transport.version>2.0.0-wso2v85</axis2.transport.version>
       <axiom.version>1.2.11-wso2v36</axiom.version>
       <xml_schema.version>1.4.7</xml_schema.version>
       <xml_apis.version>1.3.04</xml_apis.version>
@@ -1642,8 +1642,8 @@
        <activemq.broker.version>5.9.1</activemq.broker.version>
        <slf4j.log4j.version>1.5.2</slf4j.log4j.version>
        <system.rules.version>1.17.0</system.rules.version>
-       <io.netty.version>4.2.12.Final</io.netty.version>
-       <transport.http.netty.version>6.4.1</transport.http.netty.version>
+       <io.netty.version>4.2.9.Final</io.netty.version>
+       <transport.http.netty.version>6.3.60</transport.http.netty.version>
        <version.org.wso2.orbit.javax.activation>1.1.1.wso2v3</version.org.wso2.orbit.javax.activation>
        <rabbitmq.version>5.20.0</rabbitmq.version>
        <opentelemetry.all.version>1.57.0.wso2v3</opentelemetry.all.version>

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,8 @@ public OMElement toOMElement(Object scriptXML)`
`70`	`70`	`OMElement omElement;`
`71`	`71`
`72`	`72`	`try {`
`73`		`- omElement = AXIOMUtil.stringToOM((String) ScriptableObject.callMethod(jsXML, "toXMLString", new Object[0]));`
	`73`	`+ omElement = AXIOMUtil.stringToOM((String) ScriptableObject.callMethod(jsXML,`
	`74`	`+ "toXMLString", new Object[0]), true);`
`74`	`75`	`} catch (XMLStreamException e) {`
`75`	`76`	`throw new ScriptException(e);`
`76`	`77`	`}`