Merge pull request #2531 from GDLMadushanka/improveXMLBuildMaster

Add safe XML building and parsing to Script mediator

Author: GDLMadushanka

modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/ExtendedJavaScriptXmlHelper.java

@@ -48,7 +48,7 @@ public OMElement toOMElement(Object scriptXML) throws ScriptException {
         } else if (scriptXML instanceof String) {
             try {
                 String xmlString = scriptXML.toString();
-                omElement = AXIOMUtil.stringToOM(xmlString);
+                omElement = AXIOMUtil.stringToOM(xmlString, true);
 
             } catch (XMLStreamException | OMException e) {
                 ScriptException scriptException = new ScriptException("Failed to create OMElement with provided " +
@@ -59,7 +59,7 @@ public OMElement toOMElement(Object scriptXML) throws ScriptException {
         } else if (scriptXML instanceof Document) {
             try {
                 Element element = ((Document) scriptXML).getDocumentElement();
-                omElement = XMLUtils.toOM(element);
+                omElement = XMLUtils.toOM(element, true, true);
             } catch (Exception e) {
                 ScriptException scriptException = new ScriptException("Failed to create OMElement with provided " +
                         "payload");

modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/GraalVMJavaScriptMessageContext.java

@@ -49,12 +49,11 @@
 import org.apache.synapse.core.SynapseEnvironment;
 import org.apache.synapse.core.axis2.Axis2MessageContext;
 import org.apache.synapse.endpoints.Endpoint;
-import org.apache.xerces.parsers.DOMParser;
+import org.apache.synapse.mediators.bsf.utils.ScriptUtils;
 import org.graalvm.polyglot.Context;
 import org.graalvm.polyglot.Value;
 import org.jaxen.JaxenException;
 import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
 import java.io.ByteArrayInputStream;
@@ -258,13 +257,9 @@ public void setScriptEngine(ScriptEngine scriptEngine) {
      * @return parsed document
      */
     public Document parseXml(String text) throws ScriptException {
-        InputSource sax = new InputSource(new java.io.StringReader(text));
-        DOMParser parser = new DOMParser();
         Document doc;
         try {
-            parser.parse(sax);
-            doc = parser.getDocument();
-            doc.getDocumentElement().normalize();
+            doc = ScriptUtils.parseXml(text);
         } catch (SAXException | IOException e) {
             ScriptException scriptException = new ScriptException("Failed to parse provided xml");
             scriptException.initCause(e);
@@ -281,7 +276,7 @@ public Document parseXml(String text) throws ScriptException {
      * @return parsed document
      */
     public OMElement getParsedOMElement(InputStream stream) {
-        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilder(stream);
+        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilderWithSec(stream);
         return builder.getDocumentElement();
     }
 

modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/JavaScriptXmlHelper.java

@@ -70,7 +70,8 @@ public OMElement toOMElement(Object scriptXML)
         OMElement omElement;
 
         try {
-            omElement = AXIOMUtil.stringToOM((String) ScriptableObject.callMethod(jsXML, "toXMLString", new Object[0]));
+            omElement = AXIOMUtil.stringToOM((String) ScriptableObject.callMethod(jsXML,
+                "toXMLString", new Object[0]), true);
         } catch (XMLStreamException e) {
             throw new ScriptException(e);
         }

modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/NashornJavaScriptMessageContext.java

@@ -18,7 +18,7 @@
 
 package org.apache.synapse.mediators.bsf;
 
-import org.apache.xerces.parsers.DOMParser;
+import org.apache.synapse.mediators.bsf.utils.ScriptUtils;
 import org.openjdk.nashorn.api.scripting.ScriptObjectMirror;
 import org.apache.axiom.om.OMAttribute;
 import org.apache.axiom.om.OMElement;
@@ -53,7 +53,6 @@
 import org.apache.synapse.endpoints.Endpoint;
 import org.jaxen.JaxenException;
 import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -235,13 +234,9 @@ public void setScriptEngine(ScriptEngine scriptEngine) {
      * @return parsed document
      */
     public Document parseXml(String text) throws ScriptException {
-        InputSource sax = new InputSource(new java.io.StringReader(text));
-        DOMParser parser = new DOMParser();
         Document doc;
         try {
-            parser.parse(sax);
-            doc = parser.getDocument();
-            doc.getDocumentElement().normalize();
+            doc = ScriptUtils.parseXml(text);
         } catch (SAXException | IOException e) {
             ScriptException scriptException = new ScriptException("Failed to parse provided xml");
             scriptException.initCause(e);
@@ -258,7 +253,7 @@ public Document parseXml(String text) throws ScriptException {
      * @return parsed document
      */
     public OMElement getParsedOMElement(InputStream stream) {
-        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilder(stream);
+        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilderWithSec(stream);
         return builder.getDocumentElement();
     }
 

modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/OpenJDKNashornJavaScriptMessageContext.java

@@ -36,11 +36,10 @@
 import org.apache.synapse.core.SynapseEnvironment;
 import org.apache.synapse.core.axis2.Axis2MessageContext;
 import org.apache.synapse.endpoints.Endpoint;
-import org.apache.xerces.parsers.DOMParser;
+import org.apache.synapse.mediators.bsf.utils.ScriptUtils;
 import org.jaxen.JaxenException;
 import org.openjdk.nashorn.api.scripting.ScriptObjectMirror;
 import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
 import javax.script.ScriptEngine;
@@ -241,13 +240,9 @@ public void setScriptEngine(ScriptEngine scriptEngine) {
      * @return parsed document
      */
     public Document parseXml(String text) throws ScriptException {
-        InputSource sax = new InputSource(new java.io.StringReader(text));
-        DOMParser parser = new DOMParser();
         Document doc;
         try {
-            parser.parse(sax);
-            doc = parser.getDocument();
-            doc.getDocumentElement().normalize();
+            doc = ScriptUtils.parseXml(text);
         } catch (SAXException | IOException e) {
             ScriptException scriptException = new ScriptException("Failed to parse provided xml");
             scriptException.initCause(e);
@@ -264,7 +259,7 @@ public Document parseXml(String text) throws ScriptException {
      * @return parsed document
      */
     public OMElement getParsedOMElement(InputStream stream) {
-        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilder(stream);
+        OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilderWithSec(stream);
         return builder.getDocumentElement();
     }
 

modules/extensions/src/main/java/org/apache/synapse/mediators/bsf/utils/ScriptUtils.java

@@ -0,0 +1,47 @@
+/*
+ *  Copyright (c) 2026, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  WSO2 LLC. licenses this file to you under the Apache License,
+ *  Version 2.0 (the "License"); you may not use this file except
+ *  in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.synapse.mediators.bsf.utils;
+
+import java.io.IOException;
+import org.apache.xerces.parsers.DOMParser;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * This class contains secure utility methods to handle XML payloads for the script mediator.
+ */
+public class ScriptUtils {
+
+    public static Document parseXml(String text) throws IOException, SAXException {
+        InputSource sax = new InputSource(new java.io.StringReader(text));
+        DOMParser parser = new DOMParser();
+        // 1. Disable external DTDs completely
+        parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        // 2. Disable external entities (General)
+        parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        // 3. Disable external entities (Parameter)
+        parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        // 4. Ignore external DTDs if they are present
+        parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        parser.parse(sax);
+        Document doc = parser.getDocument();
+        doc.getDocumentElement().normalize();
+        return doc;
+    }
+}

pom.xml

@@ -1557,7 +1557,7 @@
       <mina.version>2.1.6</mina.version>
       <jms-1.1-spec.version>1.1</jms-1.1-spec.version>
       <!-- Axis2 and its dependencies -->
-      <axis2.version>1.6.1-wso2v124</axis2.version>
+      <axis2.version>1.6.1-wso2v125</axis2.version>
       <axis2.transport.version>2.0.0-wso2v86</axis2.transport.version>
       <axiom.version>1.2.11-wso2v36</axiom.version>
       <xml_schema.version>1.4.7</xml_schema.version>