Thank you very much, Christian!
I am using the internal parser with the DTD option set to false, but
this is still vulnerable to the one billion laughs attack.
Thanks for the hint. I have improved the entity expansion checks in our internal XML parser [1].
In BaseX 11.5, the billion laughs [https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870] ran for a long time, and gave me "java.lang.ArrayIndexOutOfBoundsException: Maximum array size reached." The latest release says: "Entities: expansion limit exceeded or recursive definitions found." No more billion laughs!
I was working on an extra option to set `XMLConstants.FEATURE_SECURE_PROCESSING` to `true`, because I used that in the project that I am rewriting. This option is used to "set limits on XML constructs to avoid conditions such as denial of service attacks." With your recent changes, I think this is no longer needed.
If you find an example that will not be caught by our (very simple) heuristics, feel free to share it with us.
I am still testing, and will let you know if I find anything.
I agree with Eliot that it can be hazardous to process arbitrary external contents (you are probably aware of that, too). Good firewall/proxy settings may be able to tackle some of the issues that will not be handled during XML parsing.
Unfortunately, I have little influence on the firewall/proxy in the production environment, so I try to handle everything in BaseX or my docker image.
Kind regards, Nico
