Enable FEATURE_SECURE_PROCESSING on TransformerFactory in SoapTrafficHandler

[Copilot]

SoapTrafficHandler restricted external DTD/stylesheet access but did not enable FEATURE_SECURE_PROCESSING on its TransformerFactory, leaving it exposed to XML entity expansion and related DoS vectors (CodeQL alert #2).

Change

• SoapTrafficHandler.convertToPrettyPrintedMessage: add setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) immediately after TransformerFactory.newInstance().

TransformerFactory tff = TransformerFactory.newInstance();
tff.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);  // added
tff.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tff.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

XMLConstants was already imported; no other files are affected.

Original prompt

Problem

Code scanning alert #2 (https://github.com/MobileID-Strong-Authentication/mobileid-client-java/security/code-scanning/2) is still open on the TransformerFactory usage in SoapTrafficHandler.java.

The file mid-java-client-soap/src/main/java/ch/swisscom/mid/client/soap/SoapTrafficHandler.java currently sets ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET attributes on the TransformerFactory (lines 138-139), but does not enable FEATURE_SECURE_PROCESSING. This feature provides additional protection against XXE attacks and XML-based denial-of-service (e.g., entity expansion limits).

Fix

In the convertToPrettyPrintedMessage method (line 135), add the following line after TransformerFactory.newInstance() and before the existing setAttribute calls:

tff.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

The resulting code block should look like:

private String convertToPrettyPrintedMessage(SOAPMessage soapMessage) {
    try {
        TransformerFactory tff = TransformerFactory.newInstance();
        tff.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        tff.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        tff.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
        Transformer tf = tff.newTransformer();
        // Set formatting
        tf.setOutputProperty(OutputKeys.INDENT, "yes");
        tf.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
        Source sc = soapMessage.getSOAPPart().getContent();
        ByteArrayOutputStream streamOut = new ByteArrayOutputStream();
        StreamResult result = new StreamResult(streamOut);
        tf.transform(sc, result);
        return streamOut.toString();
    } catch (Exception e) {
        logClient.error("Failed to pretty print SOAP message for logging purpose", e);
        return null;
    }
}

No other files need to be changed. The XMLConstants import is already present on line 24.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud