From 548c5f1fbad3fe172efd00351d03d82449b908a1 Mon Sep 17 00:00:00 2001
From: micheleh <ehud.michelson@microfocus.com>
Date: Fri, 3 Apr 2026 14:56:25 +0300
Subject: [PATCH] Fix XXE vulnerability in JunitReportReader

Disable external entity resolution and DTD processing on the
XMLInputFactory used to parse JUnit XML reports. Without this,
a crafted report file could read arbitrary local files or cause
denial of service via entity expansion.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/main/java/com/microfocus/bdd/JunitReportReader.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/com/microfocus/bdd/JunitReportReader.java b/src/main/java/com/microfocus/bdd/JunitReportReader.java
index 5471492..78c987c 100644
--- a/src/main/java/com/microfocus/bdd/JunitReportReader.java
+++ b/src/main/java/com/microfocus/bdd/JunitReportReader.java
@@ -49,6 +49,8 @@ public class JunitReportReader implements Iterable<Element>{
 
     public JunitReportReader(InputStream inputStream, String testcaseElementName) throws XMLStreamException {
         XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+        xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
         reader = xmlInputFactory.createXMLEventReader(inputStream, StandardCharsets.UTF_8.name());
         this.testcaseElementName = testcaseElementName;
         iterator = new ElementIterator();