[Bug]: XmlJacksonFormatHandler has no XXE protection

## *AI REVIEWED*

**Module:** cli
**File:** `cli/format/XmlJacksonFormatHandler.java`
**Severity:** High (Security)

## Summary
The Jackson XML mapper is created with default configuration. XML External Entity (XXE) injection is not disabled. A malicious XML file could read local files or trigger SSRF.

## Suggested Fix
Configure the underlying `XMLInputFactory`:
```java
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);

XmlMapper mapper = XmlMapper.builder()
    .inputFactory(inputFactory)
    .build();
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: XmlJacksonFormatHandler has no XXE protection #199

AI REVIEWED

Summary

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug]: XmlJacksonFormatHandler has no XXE protection #199

Description

AI REVIEWED

Summary

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions