glide.xml.entity.whitelist questions

Gemma4
Mega Sage

‎10-30-2023 02:50 PM

Hi everyone,

We are trying to complete the healthscan recommendations and I was hoping to get some help. Below is the recommendation and my questions: 

 

Questions:

We have glide.stax.whitelist_enabled true

I cannot locate glide.xml.entity.whitelist.enabled. Does this need created? 

What is the values I should enter for : glide.xml.entity.whitelist currently has the out of box value http://java.sun.com/j2ee/dtds/

 

Feedback from Healthscan

Allow Entity Validation with Allowlisting
Recommendation:
This remediation control needs to be
enabled to defend against XML External
Entity attacks.
The system property
'glide.stax.whitelist_enabled' allows the
processing (using XMLDocument2) of
external entities that are allowlisted.
Prerequisite:
'glide.xml.entity.whitelist.enabled' set to
'true' & 'glide.xml.entity.whitelist' that
defnes allowed entity path

 

 

 

0 Helpfuls
  • 1,271 Views
4 REPLIES 4

AnveshKumar M
Tera Sage
Tera Sage

‎10-30-2023 05:25 PM

Hi @Gemma4 

 

OOTB this property is not available.

 

You can create the sys property glide.xml.entity.whitelist_enabled (type: true/false) similar to glide.stax.whitelist_enabled and set the value to true.

 

Please mark my answer helpful and accept as solution if it helped 👍

Thanks,
Anvesh
0 Helpfuls

Gemma4
Mega Sage
In response to AnveshKumar M

‎10-30-2023 06:26 PM

Thank you so much. I will create the property. Do you have any insight on the 2nd part of my question: glide.xml.entity.whitelist currently has the out of box value http://java.sun.com/j2ee/dtds/ What is the values I should enter for it to be compliant?

0 Helpfuls

AnveshKumar M
Tera Sage
Tera Sage
In response to Gemma4

‎10-30-2023 06:43 PM

@Gemma4 You need to set this URL based on your requirements that what external entities you want to allow. If you want to allow another external entity you can add the URL in this sys property as a comma separated value.

 

You can keep this URL as is and add other DTD URLs if you want to allow any.

 

Please mark my answer helpful and accept as solution if it helped👍

Thanks,
Anvesh
0 Helpfuls

snownewlearner
Tera Contributor
In response to AnveshKumar M

‎08-30-2024 12:22 PM

Are there any issues/concerns with removing the default value and leaving this field blank, essentially whitelisting nothing?

0 Helpfuls