Skip to content

[Improvement] Refactor XML parsing logic to use secure ParserUtils in KVM and Database modules #12120

New issue
New issue
Open
Task
#12129
Open
[Improvement] Refactor XML parsing logic to use secure ParserUtils in KVM and Database modules#12120
Task
#12129
Milestone
4.20.3
@YLChen-007

Description

@YLChen-007
YLChen-007
opened on Nov 24, 2025

Description

While reviewing the codebase, I noticed that ParserUtils (located at utils/src/main/java/org/apache/cloudstack/utils/security/ParserUtils.java) provides secure factory methods for XML parsing. However, there are still several places in the codebase where DocumentBuilderFactory and SAXParserFactory are instantiated directly without using these wrapper methods.

To improve code consistency and enhance security hardening (specifically against XXE), we should standardize the XML parsing logic by replacing raw factory instantiations with the methods provided in ParserUtils.

Affected Components & Locations

I have identified the following locations that need refactoring:

  1. KVM Hypervisor Module

    • File: plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateVolumeCommandWrapper.java
    • Lines: around 219-221 and 233-235
    • Current usage: DocumentBuilderFactory.newInstance()

  2. Database Configuration Module

    • File: server/src/main/java/com/cloud/test/DatabaseConfig.java
    • Lines: around 432-441
    • Current usage: SAXParserFactory.newInstance()

  3. Test Classes (Optional but recommended for consistency)

    • LibvirtComputingResourceTest.java
    • LibvirtMigrateCommandWrapperTest.java

Proposed Changes

The code should be updated to use the safer factory methods.

For LibvirtMigrateVolumeCommandWrapper.java:

// Before
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();

// After
DocumentBuilderFactory dbFactory = ParserUtils.getSaferDocumentBuilderFactory();

For DatabaseConfig.java:

// Before
SAXParserFactory spfactory = SAXParserFactory.newInstance();

// After
SAXParserFactory spfactory = ParserUtils.getSaferSAXParserFactory();

Benefits

  • Consistency: Ensures all XML parsing follows the same pattern across the project.
  • Security: ParserUtils automatically handles security features (disabling external entities, etc.), reducing the risk of potential XXE issues.
  • Maintainability: Centralizes XML parser configuration in one utility class.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Task

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions