From 95e58efc73ef45e65d38321ee4910546cb9f4e96 Mon Sep 17 00:00:00 2001
From: Hao Zhang <haozhan@microsoft.com>
Date: Tue, 15 Apr 2025 14:38:03 +0800
Subject: [PATCH] Disable external entity resolution to prevent XXE attacks

---
 .../tests/data/data-resteasy/JAXBElementProvider.java     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/rules/rules-reviewed/eap7/eap6/tests/data/data-resteasy/JAXBElementProvider.java b/rules/rules-reviewed/eap7/eap6/tests/data/data-resteasy/JAXBElementProvider.java
index 7e33e764..8cd71eee 100644
--- a/rules/rules-reviewed/eap7/eap6/tests/data/data-resteasy/JAXBElementProvider.java
+++ b/rules/rules-reviewed/eap7/eap6/tests/data/data-resteasy/JAXBElementProvider.java
@@ -87,6 +87,14 @@ public JAXBElement<?> readFrom(Class<JAXBElement<?>> type,
             Unmarshaller unmarshaller = jaxb.createUnmarshaller();
             unmarshaller = decorateUnmarshaller(type, annotations, mediaType, unmarshaller);
 
+            // Disable external entity resolution to prevent XXE attacks
+            try {
+                unmarshaller.setProperty(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                unmarshaller.setProperty(javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            } catch (IllegalArgumentException ex) {
+                throw new JAXBUnmarshalException("Failed to disable external entity resolution", ex);
+            }
+
             if (needsSecurity())
             {
                 SecureUnmarshaller unmarshaller1 = new SecureUnmarshaller(unmarshaller, isDisableExternalEntities(), isEnableSecureProcessingFeature(), isDisableDTDs());