Hi Nico,

> Is there a way to set parser properties like `jdk.xml.entityExpansionLimit

` in BaseX?

By default, more recent versions of the JDK have static entity expansion limits. Maybe those are not strict enough? Do you have an example at hand that causes problems?

> I am using the internal parser with the DTD option set to false, but this is still vulnerable to the one billion laughs attack.

Thanks for the hint. I have improved the entity expansion checks in our internal XML parser [1]. If you find an example that will not be caught by our (very simple) heuristics, feel free to share it with us.

I agree with Eliot that it can be hazardous to process arbitrary external contents (you are probably aware of that, too). Good firewall/proxy settings may be able to tackle some of the issues that will not be handled during XML parsing.

And @Eliot, with regard to caching: Have you played around with the XML Catalog feature?

Hope this helps,

Christian

[1] https://files.basex.org/releases/latest/

On Fri, Mar 14, 2025 at 11:12 AM Nico Verwer (Rakensi) <nverwer@rakensi.com> wrote:

Thank you, Eliot Kimber for your response:

These vulnerabilities are only an issue if you allow untrusted users to supply XML documents with DTDs.

My application will be open to the outer world, so there will be untrusted users. We do not use DTDs, but DTDs are just one vulnerability.

[...] pre-parse them before supplying them to BaseX,

My solution is to simply not use DTD-aware parsing, [...]

I am using the internal parser with the DTD option set to false, but this is still vulnerable to the one billion laughs attack.

My next action will be to try to install my own parser into BaseX, which will be an interesting exercise...