XXE security vulnerability
Multi platform library to read and write schedule data
Brought to you by:
joniles
Xml External Entities (XXEs) are allowed when reading a Primavera XML file using the PrimaveraPMFileReader. This is a security vulnerability as discussed here https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
The easiest solution to preventing XXEs is to disallow the doctype declaration entirely as shown here http://blog.csnc.ch/2012/08/secure-xml-parser-configuration/
If you can add
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
around line 136 of PrimaveraPMFileReader.java it should solve the problem
Thanks for raising this. The code now in Git contains your suggested fix.