From 08cb41eef9ea85fa28f127ad7006a672c925c361 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Feb 2026 05:03:16 +0000
Subject: [PATCH 1/2] Initial plan


From 1a1dd12d80b869b7092e1400c8e8ea062a88a1cf Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Feb 2026 05:13:32 +0000
Subject: [PATCH 2/2] Fix three code scanning security issues: insecure
 hostname verification (CWE-297) and XXE vulnerability (CWE-611)

Co-authored-by: phaupt <4255252+phaupt@users.noreply.github.com>
---
 .../client/rest/ComProtocolHandlerRestImpl.java   |  6 +++---
 .../mid/client/soap/MssServiceFactory.java        | 15 ++-------------
 .../mid/client/soap/SoapTrafficHandler.java       |  3 +++
 3 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/mid-java-client-rest/src/main/java/ch/swisscom/mid/client/rest/ComProtocolHandlerRestImpl.java b/mid-java-client-rest/src/main/java/ch/swisscom/mid/client/rest/ComProtocolHandlerRestImpl.java
index d5e9265..97fd975 100644
--- a/mid-java-client-rest/src/main/java/ch/swisscom/mid/client/rest/ComProtocolHandlerRestImpl.java
+++ b/mid-java-client-rest/src/main/java/ch/swisscom/mid/client/rest/ComProtocolHandlerRestImpl.java
@@ -30,7 +30,6 @@
 import org.apache.hc.client5.http.impl.classic.HttpClients;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
-import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.core5.http.ContentType;
 import org.apache.hc.core5.http.HttpHost;
@@ -116,8 +115,9 @@ public void initialize(ClientConfiguration config) {
             if (tlsConfig.isHostnameVerification()) {
                 sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslCtx);
             } else {
-                sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslCtx,
-                                                                            NoopHostnameVerifier.INSTANCE);
+                logConfig.warn("Hostname verification is disabled in configuration. " +
+                               "This setting is ignored for security reasons. Hostname verification will remain active.");
+                sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslCtx);
             }
 
             if (tlsConfig.getSslContext() == null && sslCtx != null) {
diff --git a/mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/MssServiceFactory.java b/mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/MssServiceFactory.java
index 9550569..12aa666 100644
--- a/mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/MssServiceFactory.java
+++ b/mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/MssServiceFactory.java
@@ -69,7 +69,6 @@ public class MssServiceFactory<PortType> extends BasePooledObjectFactory<MssServ
     private static final String JDK_JAXWS_REQUEST_TIMEOUT = "com.sun.xml.internal.ws.request.timeout";
     private static final String JBOSS_CXF_REQUEST_TIMEOUT = "javax.xml.ws.client.receiveTimeout";
 
-    private static final java.lang.String JAXWS_HOSTNAME_VERIFIER = "com.sun.xml.internal.ws.transport.https.client.hostname.verifier";
     private static final java.lang.String JAXWS_SSL_SOCKET_FACTORY = "com.sun.xml.internal.ws.transport.https.client.SSLSocketFactory";
 
     private static final String MSSP_NAMESPACE = "http://uri.etsi.org/TS102204/etsi204-kiuru.wsdl";
@@ -150,9 +149,8 @@ private MssService<PortType> createMssService() {
             bindingProvider.getRequestContext().put(JAXWS_SSL_SOCKET_FACTORY, sslSocketFactory);
 
             if (!clientConfiguration.getTls().isHostnameVerification()) {
-                NoopHostnameVerifier noopHostnameVerifier = new NoopHostnameVerifier();
-                bindingProvider.getRequestContext().put(JAXWSProperties.HOSTNAME_VERIFIER, noopHostnameVerifier);
-                bindingProvider.getRequestContext().put(JAXWS_HOSTNAME_VERIFIER, noopHostnameVerifier);
+                log.warn("MSS Soap client: Hostname verification is disabled in configuration. " +
+                         "This setting is ignored for security reasons. Hostname verification will remain active.");
             }
 
             String serviceBaseUrl = serviceUrlSupplier.get();
@@ -300,13 +298,4 @@ private KeyStore produceATrustStore(TlsConfiguration tlsConfig) {
         }
     }
 
-    // ----------------------------------------------------------------------------------------------------
-
-    private static class NoopHostnameVerifier implements HostnameVerifier {
-        @Override
-        public boolean verify(String hostName, SSLSession session) {
-            return true;
-        }
-    }
-
 }
diff --git a/mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/SoapTrafficHandler.java b/mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/SoapTrafficHandler.java
index 10034f9..5b0de1c 100644
--- a/mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/SoapTrafficHandler.java
+++ b/mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/SoapTrafficHandler.java
@@ -21,6 +21,7 @@
 import java.io.ByteArrayOutputStream;
 import java.util.Set;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.soap.SOAPMessage;
 import javax.xml.transform.OutputKeys;
@@ -134,6 +135,8 @@ private String convertToUnformattedString(SOAPMessage soapMessage) {
     private String convertToPrettyPrintedMessage(SOAPMessage soapMessage) {
         try {
             TransformerFactory tff = TransformerFactory.newInstance();
+            tff.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            tff.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
             Transformer tf = tff.newTransformer();
             // Set formatting
             tf.setOutputProperty(OutputKeys.INDENT, "yes");