Re: [resteasy] resteasy XXE vulnerability

Hi experts, We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test. Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10. We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json). Is there a simple resteasy configuration to disable support of application/xml? Thanks, Veronica _______________________________________________ resteasy mailing list resteasy(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/resteasy