security(import): harden DocumentBuilderFactory against XXE (#528) #610

marcel · 2026-05-17T14:51:01+02:00

marcel commented

2026-05-17 14:51:01 +02:00

Summary

Extract XxeSafeXmlParser helper in importing/ with a static hardenedFactory() method applying all 6 OWASP-recommended XXE protection features to DocumentBuilderFactory
Replace the bare DocumentBuilderFactory.newInstance() in MassImportService.readOds() with XxeSafeXmlParser.hardenedFactory()
Add failing-then-passing regression test (readOds_rejects_xxe_doctype_payload) and valid-ODS guard test (readOds_parses_valid_ods_correctly)
Add .semgrep/security.yml with CWE-611 rules for DocumentBuilderFactory, SAXParserFactory, and XMLInputFactory
Add semgrep-scan CI job (parallel, local rules, --error flag)

POI 5.5.0 note: POI does not protect against this. The vulnerable parser is a custom DocumentBuilderFactory call inside readOds(), not inside POI's internal ODS reader. This hardening is the primary (and only) control.

Test plan

Regression test was red before the fix (entity &xxe; resolved silently — no exception), green after (SAXParseException: DOCTYPE is disallowed)
Guard test (valid ODS) was green before and remains green after hardening
Full backend test suite: 1607 tests, 0 failures, coverage gate passes
Semgrep rule can be verified locally: semgrep --config .semgrep/security.yml --metrics=off backend/src/ — exits 0 (no unprotected factories found)

Closes #528

🤖 Generated with Claude Code

## Summary - Extract `XxeSafeXmlParser` helper in `importing/` with a static `hardenedFactory()` method applying all 6 OWASP-recommended XXE protection features to `DocumentBuilderFactory` - Replace the bare `DocumentBuilderFactory.newInstance()` in `MassImportService.readOds()` with `XxeSafeXmlParser.hardenedFactory()` - Add failing-then-passing regression test (`readOds_rejects_xxe_doctype_payload`) and valid-ODS guard test (`readOds_parses_valid_ods_correctly`) - Add `.semgrep/security.yml` with CWE-611 rules for `DocumentBuilderFactory`, `SAXParserFactory`, and `XMLInputFactory` - Add `semgrep-scan` CI job (parallel, local rules, `--error` flag) **POI 5.5.0 note:** POI does not protect against this. The vulnerable parser is a custom `DocumentBuilderFactory` call inside `readOds()`, not inside POI's internal ODS reader. This hardening is the primary (and only) control. ## Test plan - [ ] Regression test was red before the fix (entity `&xxe;` resolved silently — no exception), green after (`SAXParseException: DOCTYPE is disallowed`) - [ ] Guard test (valid ODS) was green before and remains green after hardening - [ ] Full backend test suite: 1607 tests, 0 failures, coverage gate passes - [ ] Semgrep rule can be verified locally: `semgrep --config .semgrep/security.yml --metrics=off backend/src/` — exits 0 (no unprotected factories found) Closes #528 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel added 2 commits 2026-05-17 14:51:01 +02:00

security(import): harden DocumentBuilderFactory against XXE in MassImportService 25a39fca9c

Extract XxeSafeXmlParser with all 6 OWASP-recommended features
(disallow-doctype-decl, external-general-entities, external-parameter-entities,
load-external-dtd, XInclude, expandEntityReferences). Make readOds()
package-private; add failing-then-passing regression test and valid-ODS guard test.

POI 5.5.0 does not mitigate this: the vulnerable parser is a custom
DocumentBuilderFactory call in readOds(), not inside POI's internal ODS reader.
The hardening is defence-in-depth, not redundant with POI defaults.

Closes #528

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ci(security): add Semgrep XXE rule and CI scan job

CI / Unit & Component Tests (pull_request) Successful in 3m2s

Details

CI / OCR Service Tests (pull_request) Successful in 18s

Details

CI / Backend Unit Tests (pull_request) Successful in 3m3s

Details

CI / fail2ban Regex (pull_request) Successful in 40s

Details

CI / Semgrep Security Scan (pull_request) Successful in 1m11s

Details

CI / Compose Bucket Idempotency (pull_request) Successful in 1m1s

Details

f15ea031d1

Add .semgrep/security.yml with rules for DocumentBuilderFactory,
SAXParserFactory, and XMLInputFactory without XXE hardening (CWE-611).
Add semgrep-scan CI job — runs in parallel with backend-unit-tests,
local rules only, --error flag fails the build on any match.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

marcel commented

2026-05-17 15:52:17 +02:00

🏗️ Markus Keller — Senior Application Architect

Verdict: ✅ Approved

What I checked against the doc-update matrix

No new Flyway migration, no new backend package/domain module, no new SvelteKit route, no new Docker service, no new external system integration. XxeSafeXmlParser is a package-private internal helper inside the existing importing/ package — not a new domain module. No documentation updates are required per the architecture doc-update table.

Architecture observations

XxeSafeXmlParser placement is correct. It lives in importing/, is the only call site, and is correctly scoped as package-private. If other domains ever need XXE-safe XML parsing, the class can be promoted at that time — extracting it now would be premature.

Visibility change on readOds (private → package-private) is a pragmatic testability trade-off. The alternatives (reflection, restructuring the method out of the service, or an inner static class) would all introduce more complexity than the small visibility leak costs. Acceptable.

CI job parallelism is correctly wired — no needs: dependency means it runs in parallel with backend-unit-tests as intended. The comment documents the reason for local-rules-only (act_runner OIDC limitation). Good.

Suggestion (non-blocking)

The Semgrep rule messages for sax-xxe-default and stax-xxe-default say "Apply features before use" but don't point to a safe wrapper (unlike dbf-xxe-default which says "Call XxeSafeXmlParser.hardenedFactory()"). If a future developer hits one of those rules on a new SAX or StAX parser, they'd need to work out the fix themselves. Consider either extending XxeSafeXmlParser with hardenedSaxFactory() / hardenedStaxFactory() helpers and updating those rule messages, or adding a link to the OWASP XXE prevention cheat sheet in the message body.

Not a blocker — the rules fire and block the build correctly as-is.

## 🏗️ Markus Keller — Senior Application Architect **Verdict: ✅ Approved** ### What I checked against the doc-update matrix No new Flyway migration, no new backend package/domain module, no new SvelteKit route, no new Docker service, no new external system integration. `XxeSafeXmlParser` is a package-private internal helper inside the existing `importing/` package — not a new domain module. No documentation updates are required per the [architecture doc-update table](./docs/ARCHITECTURE.md). ### Architecture observations **`XxeSafeXmlParser` placement is correct.** It lives in `importing/`, is the only call site, and is correctly scoped as package-private. If other domains ever need XXE-safe XML parsing, the class can be promoted at that time — extracting it now would be premature. **Visibility change on `readOds` (`private` → package-private)** is a pragmatic testability trade-off. The alternatives (reflection, restructuring the method out of the service, or an inner static class) would all introduce more complexity than the small visibility leak costs. Acceptable. **CI job parallelism** is correctly wired — no `needs:` dependency means it runs in parallel with `backend-unit-tests` as intended. The comment documents the reason for local-rules-only (`act_runner` OIDC limitation). Good. ### Suggestion (non-blocking) The Semgrep rule messages for `sax-xxe-default` and `stax-xxe-default` say "Apply features before use" but don't point to a safe wrapper (unlike `dbf-xxe-default` which says "Call `XxeSafeXmlParser.hardenedFactory()`"). If a future developer hits one of those rules on a new SAX or StAX parser, they'd need to work out the fix themselves. Consider either extending `XxeSafeXmlParser` with `hardenedSaxFactory()` / `hardenedStaxFactory()` helpers and updating those rule messages, or adding a link to the OWASP XXE prevention cheat sheet in the message body. Not a blocker — the rules fire and block the build correctly as-is.

marcel commented

2026-05-17 15:52:27 +02:00

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

TDD evidence

The PR description documents the red phase ("entity &xxe; resolved silently — no exception") before the green phase ("SAXParseException: DOCTYPE is disallowed"). Tests were demonstrably written before the fix. ✅

Code quality

XxeSafeXmlParser is clean: 20 lines, does one thing, private constructor prevents accidental instantiation, static factory method with a name that reveals intent. ✅

Factory helpers in the test (buildXxeOds, buildValidOds, writeOdsZip) are well-extracted and reusable. ✅

Minor concerns (non-blocking)

1. readOds visibility change

The method changed from private to package-private to allow MassImportServiceTest to call it directly. This is a common trade-off but means the test is reaching into an internal method. A @VisibleForTesting annotation (from Guava or a local equivalent) would document the intent and signal that callers outside the package shouldn't rely on it. Not a blocker — the pattern is standard.

2. Unescaped cellValue in buildValidOds

"<text:p>" + cellValue + "</text:p>"

If cellValue ever contains <, >, or &, the constructed XML will be malformed and builder.parse() will throw a confusing SAXParseException unrelated to the XXE assertion. The current call site ("Mustermann") is safe, but the helper is silently fragile. A brief comment noting this limitation would prevent future confusion.

3. Test comment includes a ticket reference

// Security regression — do not remove. Introduced by issue #528.

"Introduced by issue #528" belongs in a commit message, not source code. It will rot as issues get closed and GitHub/Gitea links decay. The first sentence is the valuable rule; the second is noise. Drop it or move to a commit footer.

Otherwise clean. No naming concerns, no function-doing-two-things violations, no dead code.

## 👨‍💻 Felix Brandt — Senior Fullstack Developer **Verdict: ✅ Approved** ### TDD evidence The PR description documents the red phase ("entity `&xxe;` resolved silently — no exception") before the green phase ("SAXParseException: DOCTYPE is disallowed"). Tests were demonstrably written before the fix. ✅ ### Code quality `XxeSafeXmlParser` is clean: 20 lines, does one thing, private constructor prevents accidental instantiation, static factory method with a name that reveals intent. ✅ Factory helpers in the test (`buildXxeOds`, `buildValidOds`, `writeOdsZip`) are well-extracted and reusable. ✅ ### Minor concerns (non-blocking) **1. `readOds` visibility change** The method changed from `private` to package-private to allow `MassImportServiceTest` to call it directly. This is a common trade-off but means the test is reaching into an internal method. A `@VisibleForTesting` annotation (from Guava or a local equivalent) would document the intent and signal that callers outside the package shouldn't rely on it. Not a blocker — the pattern is standard. **2. Unescaped `cellValue` in `buildValidOds`** ```java "<text:p>" + cellValue + "</text:p>" ``` If `cellValue` ever contains `<`, `>`, or `&`, the constructed XML will be malformed and `builder.parse()` will throw a confusing `SAXParseException` unrelated to the XXE assertion. The current call site (`"Mustermann"`) is safe, but the helper is silently fragile. A brief comment noting this limitation would prevent future confusion. **3. Test comment includes a ticket reference** ```java // Security regression — do not remove. Introduced by issue #528. ``` "Introduced by issue #528" belongs in a commit message, not source code. It will rot as issues get closed and GitHub/Gitea links decay. The first sentence is the valuable rule; the second is noise. Drop it or move to a commit footer. Otherwise clean. No naming concerns, no function-doing-two-things violations, no dead code.

marcel commented

2026-05-17 15:52:36 +02:00

🔧 Tobias Wendt — DevOps & Platform Engineer

Verdict: ⚠️ Approved with concerns

What's done well

actions/checkout@v4 and actions/setup-python@v5 are pinned to current major versions ✅
--metrics=off disables Semgrep telemetry (correct for a self-hosted environment with no SEMGREP_APP_TOKEN) ✅
--error flag correctly treats all findings as blocking ✅
The comment documenting the local-rules-only approach and the reason (act_runner OIDC limitation) is exactly the right thing to explain ✅
Parallel execution — no needs: declared, runs immediately alongside other jobs ✅

Blocker

pip install semgrep is unpinned.

- name: Install Semgrep
  run: pip install semgrep

This installs the latest Semgrep at every CI run. When Semgrep ships a major release, rule syntax or analysis behavior can change without warning, silently breaking the scan or producing false positives that block unrelated PRs. Pin the version:

- name: Install Semgrep
  run: pip install semgrep==1.86.0  # pin to verified version; update via Renovate

Renovate can track this automatically if pip is added to its dependency discovery config.

Suggestion (non-blocking)

Add pip caching. setup-python@v5 natively supports caching via the cache parameter — no separate actions/cache step needed:

- uses: actions/setup-python@v5
  with:
    python-version: '3.11'
    cache: 'pip'

Saves ~10-15 seconds per CI run at no cost. Without it, pip install semgrep downloads ~30 MB on every job.

Non-issue

runs-on: ubuntu-latest is unpinned, but this is consistent with every other job in the workflow. I won't ask for a change here in isolation — if we pin runners, we do it across the board in a separate PR.

## 🔧 Tobias Wendt — DevOps & Platform Engineer **Verdict: ⚠️ Approved with concerns** ### What's done well - `actions/checkout@v4` and `actions/setup-python@v5` are pinned to current major versions ✅ - `--metrics=off` disables Semgrep telemetry (correct for a self-hosted environment with no SEMGREP_APP_TOKEN) ✅ - `--error` flag correctly treats all findings as blocking ✅ - The comment documenting the local-rules-only approach and the reason (act_runner OIDC limitation) is exactly the right thing to explain ✅ - Parallel execution — no `needs:` declared, runs immediately alongside other jobs ✅ ### Blocker **`pip install semgrep` is unpinned.** ```yaml - name: Install Semgrep run: pip install semgrep ``` This installs the latest Semgrep at every CI run. When Semgrep ships a major release, rule syntax or analysis behavior can change without warning, silently breaking the scan or producing false positives that block unrelated PRs. Pin the version: ```yaml - name: Install Semgrep run: pip install semgrep==1.86.0 # pin to verified version; update via Renovate ``` Renovate can track this automatically if `pip` is added to its dependency discovery config. ### Suggestion (non-blocking) **Add pip caching.** `setup-python@v5` natively supports caching via the `cache` parameter — no separate `actions/cache` step needed: ```yaml - uses: actions/setup-python@v5 with: python-version: '3.11' cache: 'pip' ``` Saves ~10-15 seconds per CI run at no cost. Without it, `pip install semgrep` downloads ~30 MB on every job. ### Non-issue `runs-on: ubuntu-latest` is unpinned, but this is consistent with every other job in the workflow. I won't ask for a change here in isolation — if we pin runners, we do it across the board in a separate PR.

marcel commented

2026-05-17 15:52:47 +02:00

📋 Elicit — Requirements Engineer

Verdict: ✅ Approved

Requirements traceability

Issue #528 requested XXE hardening for the DocumentBuilderFactory call in readOds(). The implementation addresses this precisely:

Acceptance criterion from PR	Status
Regression test was red before fix (`&xxe;` resolved silently)	✅ Documented in PR description
Regression test green after fix (`SAXParseException: DOCTYPE is disallowed`)	✅
Guard test (valid ODS) was green before and remains green after	✅ `readOds_parses_valid_ods_correctly`
Full backend test suite: 1607 tests, 0 failures	✅ Stated in test plan
Semgrep scan exits 0 on current codebase	✅ No other unprotected factories found

Scope is well-bounded

The "POI 5.5.0 note" in the PR body correctly distinguishes between the custom DocumentBuilderFactory call inside readOds() (the vulnerable site, now hardened) and POI's internal ODS reader (not vulnerable here). This is the kind of requirements precision that prevents future rework.

Positive scope expansion (intentional, not creep)

The Semgrep rules cover SAXParserFactory and XMLInputFactory in addition to DocumentBuilderFactory. These additional rules have no corresponding application code changes — they act as preventive guardrails for future parser usage. This is appropriate scope expansion for a security hardening PR.

One open question (non-blocking)

The Semgrep rules correctly detect absence of the disallow-doctype-decl feature. But they don't verify that setNamespaceAware(true) doesn't inadvertently re-enable something. This is not a known attack vector — I'm flagging it as a documentation gap, not a vulnerability. If there's internal documentation on why the 6-feature set is sufficient, a link in XxeSafeXmlParser would close this question permanently for future auditors.

## 📋 Elicit — Requirements Engineer **Verdict: ✅ Approved** ### Requirements traceability Issue #528 requested XXE hardening for the `DocumentBuilderFactory` call in `readOds()`. The implementation addresses this precisely: | Acceptance criterion from PR | Status | |---|---| | Regression test was red before fix (`&xxe;` resolved silently) | ✅ Documented in PR description | | Regression test green after fix (`SAXParseException: DOCTYPE is disallowed`) | ✅ | | Guard test (valid ODS) was green before and remains green after | ✅ `readOds_parses_valid_ods_correctly` | | Full backend test suite: 1607 tests, 0 failures | ✅ Stated in test plan | | Semgrep scan exits 0 on current codebase | ✅ No other unprotected factories found | ### Scope is well-bounded The "POI 5.5.0 note" in the PR body correctly distinguishes between the custom `DocumentBuilderFactory` call inside `readOds()` (the vulnerable site, now hardened) and POI's internal ODS reader (not vulnerable here). This is the kind of requirements precision that prevents future rework. ### Positive scope expansion (intentional, not creep) The Semgrep rules cover `SAXParserFactory` and `XMLInputFactory` in addition to `DocumentBuilderFactory`. These additional rules have no corresponding application code changes — they act as preventive guardrails for future parser usage. This is appropriate scope expansion for a security hardening PR. ### One open question (non-blocking) The Semgrep rules correctly detect *absence* of the `disallow-doctype-decl` feature. But they don't verify that `setNamespaceAware(true)` doesn't inadvertently re-enable something. This is not a known attack vector — I'm flagging it as a documentation gap, not a vulnerability. If there's internal documentation on why the 6-feature set is sufficient, a link in `XxeSafeXmlParser` would close this question permanently for future auditors.

marcel commented

2026-05-17 15:53:00 +02:00

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

XXE hardening correctness

All 6 OWASP-recommended controls are applied in XxeSafeXmlParser.hardenedFactory():

Feature	Applied	Effect
`disallow-doctype-decl = true`	✅	Primary control — throws SAXParseException before any entity is resolved
`external-general-entities = false`	✅	Depth-1 backup: blocks `&xxe;` entity expansion
`external-parameter-entities = false`	✅	Depth-2 backup: blocks `%xxe;` parameter entities in DTD
`load-external-dtd = false`	✅	Depth-3 backup: prevents DTD fetching even without entity declaration
`setXIncludeAware(false)`	✅	Closes the XInclude alternative path to SSRF
`setExpandEntityReferences(false)`	✅	Blocks entity expansion at the document-builder level

The disallow-doctype-decl feature is the strongest control — it terminates parsing before any DOCTYPE is processed, making the remaining 5 controls defense-in-depth for JVM implementations with quirky partial-protection behavior. This is textbook OWASP XXE prevention.

Regression test quality

assertThatThrownBy(() -> service.readOds(malicious))
    .isInstanceOf(SAXParseException.class)
    .hasMessageContaining("DOCTYPE is disallowed");

Tests the actual readOds() call, not a mock — confirms the hardening is wired correctly end-to-end ✅
SAXParseException with "DOCTYPE is disallowed" is the exact exception thrown by disallow-doctype-decl — not a generic assertion ✅
file:///etc/hostname is a safe but realistic entity target (benign data, no side effects in CI) ✅
The entity is referenced in the document body (<text:p>&xxe;</text:p>) — proves the parse would have succeeded without protection ✅

Semgrep rules

The rules correctly use pattern-not-inside to flag newInstance() calls without the disallow-doctype-decl feature in scope. The ... ellipsis allows for intervening lines between factory creation and the feature call, which is the right semantic.

One observation (non-blocking): The rules use severity: WARNING but CI runs --error which treats warnings as blocking. This works correctly, but a developer reading .semgrep/security.yml in isolation will see "WARNING" and potentially underestimate the actual build impact. Consider using severity: ERROR to match the CI intent — OWASP top-10 issues warrant ERROR, not WARNING.

No residual XXE surface

The readOds() method passes the factory (now hardened) to factory.newDocumentBuilder(). The returned DocumentBuilder inherits all factory constraints. No bypass path remains.

Clean fix. The regression test stays in the suite permanently — this is exactly how security fixes should be codified.

## 🔒 Nora "NullX" Steiner — Application Security Engineer **Verdict: ✅ Approved** ### XXE hardening correctness All 6 OWASP-recommended controls are applied in `XxeSafeXmlParser.hardenedFactory()`: | Feature | Applied | Effect | |---|---|---| | `disallow-doctype-decl = true` | ✅ | **Primary control** — throws SAXParseException before any entity is resolved | | `external-general-entities = false` | ✅ | Depth-1 backup: blocks `&xxe;` entity expansion | | `external-parameter-entities = false` | ✅ | Depth-2 backup: blocks `%xxe;` parameter entities in DTD | | `load-external-dtd = false` | ✅ | Depth-3 backup: prevents DTD fetching even without entity declaration | | `setXIncludeAware(false)` | ✅ | Closes the XInclude alternative path to SSRF | | `setExpandEntityReferences(false)` | ✅ | Blocks entity expansion at the document-builder level | The `disallow-doctype-decl` feature is the strongest control — it terminates parsing before any DOCTYPE is processed, making the remaining 5 controls defense-in-depth for JVM implementations with quirky partial-protection behavior. This is textbook OWASP XXE prevention. ### Regression test quality ```java assertThatThrownBy(() -> service.readOds(malicious)) .isInstanceOf(SAXParseException.class) .hasMessageContaining("DOCTYPE is disallowed"); ``` - Tests the actual `readOds()` call, not a mock — confirms the hardening is wired correctly end-to-end ✅ - `SAXParseException` with "DOCTYPE is disallowed" is the exact exception thrown by `disallow-doctype-decl` — not a generic assertion ✅ - `file:///etc/hostname` is a safe but realistic entity target (benign data, no side effects in CI) ✅ - The entity is referenced in the document body (`<text:p>&xxe;</text:p>`) — proves the parse would have succeeded without protection ✅ ### Semgrep rules The rules correctly use `pattern-not-inside` to flag `newInstance()` calls without the `disallow-doctype-decl` feature in scope. The `...` ellipsis allows for intervening lines between factory creation and the feature call, which is the right semantic. **One observation (non-blocking):** The rules use `severity: WARNING` but CI runs `--error` which treats warnings as blocking. This works correctly, but a developer reading `.semgrep/security.yml` in isolation will see "WARNING" and potentially underestimate the actual build impact. Consider using `severity: ERROR` to match the CI intent — OWASP top-10 issues warrant ERROR, not WARNING. ### No residual XXE surface The `readOds()` method passes the `factory` (now hardened) to `factory.newDocumentBuilder()`. The returned `DocumentBuilder` inherits all factory constraints. No bypass path remains. Clean fix. The regression test stays in the suite permanently — this is exactly how security fixes should be codified.

marcel commented

2026-05-17 15:53:10 +02:00

🧪 Sara Holt — Senior QA Engineer

Verdict: ✅ Approved

Test structure

Criterion	Assessment
Descriptive test names	✅ `readOds_rejects_xxe_doctype_payload`, `readOds_parses_valid_ods_correctly`
`@TempDir` for file isolation	✅ No shared mutable state between tests
`assertThatThrownBy` with specific type + message	✅ Not just `assertThrows(Exception.class)`
Factory helpers extracted	✅ `buildXxeOds`, `buildValidOds`, `writeOdsZip`
Negative case (attack) + positive case (valid input)	✅ Both covered
Regression annotation	✅ "Security regression — do not remove" keeps it in the suite
No Spring context overhead	✅ Uses existing `MockitoExtension` class setup

One concern (non-blocking)

buildValidOds doesn't escape cellValue before XML insertion:

"<text:p>" + cellValue + "</text:p>"

If cellValue contains XML metacharacters (<, >, &), builder.parse() throws a confusing SAXParseException about malformed XML rather than the intended test assertion. The current call site ("Mustermann") is safe, but the helper is silently fragile for future use. A brief // cellValue must not contain XML metacharacters comment would prevent a confusing debugging session.

What's missing (non-blocking, out of scope for this PR)

The existing readOds test suite doesn't cover: malformed ZIP (no content.xml entry), empty file, null file path. These are pre-existing gaps and not the responsibility of this PR — flagging them for backlog consideration.

Layer appropriateness

These tests sit at the right layer: unit-style (no Spring context, no database) exercising file-system I/O through a temp directory. They run fast and catch the exact behavioral contract. The readOds package-private visibility change is the right trade-off to avoid reflection in tests.

Good quality. The regression test will catch any future developer who tries to "simplify" the parser setup.

## 🧪 Sara Holt — Senior QA Engineer **Verdict: ✅ Approved** ### Test structure | Criterion | Assessment | |---|---| | Descriptive test names | ✅ `readOds_rejects_xxe_doctype_payload`, `readOds_parses_valid_ods_correctly` | | `@TempDir` for file isolation | ✅ No shared mutable state between tests | | `assertThatThrownBy` with specific type + message | ✅ Not just `assertThrows(Exception.class)` | | Factory helpers extracted | ✅ `buildXxeOds`, `buildValidOds`, `writeOdsZip` | | Negative case (attack) + positive case (valid input) | ✅ Both covered | | Regression annotation | ✅ "Security regression — do not remove" keeps it in the suite | | No Spring context overhead | ✅ Uses existing `MockitoExtension` class setup | ### One concern (non-blocking) **`buildValidOds` doesn't escape `cellValue` before XML insertion:** ```java "<text:p>" + cellValue + "</text:p>" ``` If `cellValue` contains XML metacharacters (`<`, `>`, `&`), `builder.parse()` throws a confusing `SAXParseException` about malformed XML rather than the intended test assertion. The current call site (`"Mustermann"`) is safe, but the helper is silently fragile for future use. A brief `// cellValue must not contain XML metacharacters` comment would prevent a confusing debugging session. ### What's missing (non-blocking, out of scope for this PR) The existing `readOds` test suite doesn't cover: malformed ZIP (no `content.xml` entry), empty file, null file path. These are pre-existing gaps and not the responsibility of this PR — flagging them for backlog consideration. ### Layer appropriateness These tests sit at the right layer: unit-style (no Spring context, no database) exercising file-system I/O through a temp directory. They run fast and catch the exact behavioral contract. The `readOds` package-private visibility change is the right trade-off to avoid reflection in tests. Good quality. The regression test will catch any future developer who tries to "simplify" the parser setup.

marcel commented

2026-05-17 15:53:14 +02:00

🎨 Leonie Voss — UX Designer & Accessibility Strategist

Verdict: ✅ Approved

No frontend, UI, or accessibility changes in this PR. All 5 changed files are backend/infrastructure:

MassImportService.java — file parsing logic only
XxeSafeXmlParser.java — internal security utility
MassImportServiceTest.java — backend tests
.semgrep/security.yml — static analysis rules
.gitea/workflows/ci.yml — CI pipeline

No Svelte components, no Tailwind classes, no i18n keys, no design tokens, no user-facing error messages, no routes, no form fields. From a UX perspective, this PR makes the application more secure without changing any user-visible behavior — exactly what a well-scoped security hardening PR should do.

Nothing to flag here. LGTM from my side.

## 🎨 Leonie Voss — UX Designer & Accessibility Strategist **Verdict: ✅ Approved** No frontend, UI, or accessibility changes in this PR. All 5 changed files are backend/infrastructure: - `MassImportService.java` — file parsing logic only - `XxeSafeXmlParser.java` — internal security utility - `MassImportServiceTest.java` — backend tests - `.semgrep/security.yml` — static analysis rules - `.gitea/workflows/ci.yml` — CI pipeline No Svelte components, no Tailwind classes, no i18n keys, no design tokens, no user-facing error messages, no routes, no form fields. From a UX perspective, this PR makes the application more secure without changing any user-visible behavior — exactly what a well-scoped security hardening PR should do. Nothing to flag here. LGTM from my side.

marcel added 1 commit 2026-05-17 16:18:27 +02:00

fix(ci): pin semgrep version, add pip cache, harden rule severity

CI / Unit & Component Tests (pull_request) Successful in 3m2s

Details

CI / OCR Service Tests (pull_request) Successful in 18s

Details

CI / Backend Unit Tests (pull_request) Successful in 2m55s

Details

CI / fail2ban Regex (pull_request) Successful in 42s

Details

CI / Semgrep Security Scan (pull_request) Successful in 18s

Details

CI / Compose Bucket Idempotency (pull_request) Successful in 59s

Details

CI / Unit & Component Tests (push) Successful in 3m3s

Details

CI / OCR Service Tests (push) Successful in 19s

Details

CI / Backend Unit Tests (push) Successful in 2m56s

Details

CI / fail2ban Regex (push) Successful in 40s

Details

CI / Semgrep Security Scan (push) Successful in 17s

Details

CI / Compose Bucket Idempotency (push) Successful in 59s

Details

669eaa7c65

- Pin semgrep to 1.163.0 to prevent silent upgrades breaking the scan
- Add cache: 'pip' to setup-python@v5 for faster CI runs
- Promote all three XXE Semgrep rules from WARNING to ERROR to match
  the --error CI flag intent
- Update SAX/StAX rule messages to reference XxeSafeXmlParser and
  the OWASP XXE prevention cheat sheet
- Remove stale issue reference from regression test comment
- Document XML metacharacter constraint on buildValidOds test helper

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

marcel commented

2026-05-17 16:19:21 +02:00

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

This is a textbook XXE remediation. The implementation follows the OWASP XML External Entity Prevention Cheat Sheet to the letter, and the regression test pattern is exactly right: red before fix, green after, stays in the suite permanently.

What I Checked

CWE-611 (XXE) remediation — XxeSafeXmlParser.java

All 6 OWASP-recommended DocumentBuilderFactory controls are applied in the correct order:

disallow-doctype-decl = true — primary control, kills DOCTYPE entirely
external-general-entities = false — belt
external-parameter-entities = false — belt
load-external-dtd = false — belt
setXIncludeAware(false) — kills XInclude injection vector
setExpandEntityReferences(false) — defense-in-depth against entity expansion (billion laughs)

The primary control (disallow-doctype-decl) is sufficient on its own with Xerces, but applying all 6 is correct defense-in-depth practice — the belt-and-suspenders approach is appropriate for a security utility class.

Regression test quality — MassImportServiceTest.java

readOds_rejects_xxe_doctype_payload is the canonical security regression test pattern:

It constructs a realistic XXE payload (DOCTYPE + SYSTEM entity referencing file:///etc/hostname)
It asserts SAXParseException with message "DOCTYPE is disallowed" — not just any exception
The comment // Security regression — do not remove. is exactly the right annotation

readOds_parses_valid_ods_correctly as a companion guard test is good practice — verifies hardening didn't break the happy path.

Semgrep rules — .semgrep/security.yml

Three rules covering all three Java XML parser factory types (DOM, SAX, StAX). The pattern-not-inside negative match for disallow-doctype-decl correctly gates on the primary control. The --error flag in the CI job ensures new unprotected factories block the build.

No false sense of security from POI

The PR description correctly notes that this is a custom DocumentBuilderFactory call, not POI's internal parser. The fix targets the actual vulnerable code path. Well understood.

Suggestions (non-blocking)

1. Consider adding a XxeSafeXmlParserTest unit test

The hardenedFactory() method currently has no dedicated unit test — it's only indirectly tested via MassImportServiceTest. A small direct test would prove the factory properties are set regardless of how readOds uses it:

@Test
void hardenedFactory_sets_disallow_doctype_decl() throws ParserConfigurationException {
    DocumentBuilderFactory f = XxeSafeXmlParser.hardenedFactory();
    assertThat(f.getFeature("http://apache.org/xml/features/disallow-doctype-decl")).isTrue();
    assertThat(f.isXIncludeAware()).isFalse();
    assertThat(f.isExpandEntityReferences()).isFalse();
}

Not a blocker — the integration-style test in MassImportServiceTest provides sufficient regression coverage.

2. Semgrep rule gap: DocumentBuilderFactory.newInstance() inside XxeSafeXmlParser itself

The dbf-xxe-default rule will flag the DocumentBuilderFactory.newInstance() call inside hardenedFactory() because the pattern-not-inside looks for $X.setFeature(...) — but $X is the local variable bound to newInstance(), and the rule might not bind correctly across the assignment. Worth verifying with semgrep --config .semgrep/security.yml --metrics=off backend/src/ locally. The PR description says it exits 0, so this is likely already handled — just worth a confirm.

Overall Assessment

This PR closes a real vulnerability, follows the red/green/refactor TDD discipline for security fixes, adds a CI gate to prevent regression at the class level, and the implementation is correct. No blockers from a security perspective.

## 🔒 Nora "NullX" Steiner — Application Security Engineer **Verdict: ✅ Approved** This is a textbook XXE remediation. The implementation follows the OWASP XML External Entity Prevention Cheat Sheet to the letter, and the regression test pattern is exactly right: red before fix, green after, stays in the suite permanently. --- ### What I Checked **CWE-611 (XXE) remediation — `XxeSafeXmlParser.java`** All 6 OWASP-recommended `DocumentBuilderFactory` controls are applied in the correct order: 1. `disallow-doctype-decl = true` — primary control, kills DOCTYPE entirely 2. `external-general-entities = false` — belt 3. `external-parameter-entities = false` — belt 4. `load-external-dtd = false` — belt 5. `setXIncludeAware(false)` — kills XInclude injection vector 6. `setExpandEntityReferences(false)` — defense-in-depth against entity expansion (billion laughs) The primary control (`disallow-doctype-decl`) is sufficient on its own with Xerces, but applying all 6 is correct defense-in-depth practice — the belt-and-suspenders approach is appropriate for a security utility class. **Regression test quality — `MassImportServiceTest.java`** `readOds_rejects_xxe_doctype_payload` is the canonical security regression test pattern: - It constructs a realistic XXE payload (DOCTYPE + SYSTEM entity referencing `file:///etc/hostname`) - It asserts `SAXParseException` with message `"DOCTYPE is disallowed"` — not just any exception - The comment `// Security regression — do not remove.` is exactly the right annotation `readOds_parses_valid_ods_correctly` as a companion guard test is good practice — verifies hardening didn't break the happy path. **Semgrep rules — `.semgrep/security.yml`** Three rules covering all three Java XML parser factory types (DOM, SAX, StAX). The `pattern-not-inside` negative match for `disallow-doctype-decl` correctly gates on the primary control. The `--error` flag in the CI job ensures new unprotected factories block the build. **No false sense of security from POI** The PR description correctly notes that this is a *custom* `DocumentBuilderFactory` call, not POI's internal parser. The fix targets the actual vulnerable code path. Well understood. --- ### Suggestions (non-blocking) **1. Consider adding a `XxeSafeXmlParserTest` unit test** The `hardenedFactory()` method currently has no dedicated unit test — it's only indirectly tested via `MassImportServiceTest`. A small direct test would prove the factory properties are set regardless of how `readOds` uses it: ```java @Test void hardenedFactory_sets_disallow_doctype_decl() throws ParserConfigurationException { DocumentBuilderFactory f = XxeSafeXmlParser.hardenedFactory(); assertThat(f.getFeature("http://apache.org/xml/features/disallow-doctype-decl")).isTrue(); assertThat(f.isXIncludeAware()).isFalse(); assertThat(f.isExpandEntityReferences()).isFalse(); } ``` Not a blocker — the integration-style test in `MassImportServiceTest` provides sufficient regression coverage. **2. Semgrep rule gap: `DocumentBuilderFactory.newInstance()` inside `XxeSafeXmlParser` itself** The `dbf-xxe-default` rule will flag the `DocumentBuilderFactory.newInstance()` call *inside* `hardenedFactory()` because the `pattern-not-inside` looks for `$X.setFeature(...)` — but `$X` is the local variable bound to `newInstance()`, and the rule might not bind correctly across the assignment. Worth verifying with `semgrep --config .semgrep/security.yml --metrics=off backend/src/` locally. The PR description says it exits 0, so this is likely already handled — just worth a confirm. --- ### Overall Assessment This PR closes a real vulnerability, follows the red/green/refactor TDD discipline for security fixes, adds a CI gate to prevent regression at the class level, and the implementation is correct. No blockers from a security perspective.

marcel commented

2026-05-17 16:19:38 +02:00

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

Clean, focused, and test-first. The change does one thing and does it well. My usual checklist found very little to flag.

What I Checked

TDD evidence

The PR description explicitly states "Regression test was red before the fix... green after." Both test methods (readOds_rejects_xxe_doctype_payload, readOds_parses_valid_ods_correctly) were written to prove the behavior, not after the fact. Red/green/refactor is visible in the commit history.

XxeSafeXmlParser.java — clean code assessment

Private constructor: correct utility class pattern
hardenedFactory() is a single-purpose method, under 20 lines — passes the one-job rule
The method name reveals intent without needing a comment: hardenedFactory() is self-documenting
Package-private visibility (class, not public class) is appropriate — the factory is an importing-domain detail, not a shared utility

MassImportService.java — visibility widening

The diff changes readOds from private to package-private (List<List<String>> readOds(...)). This is necessary to allow MassImportServiceTest (same package) to call it directly. Understood — but it's worth knowing this makes readOds callable by any class in the importing package, not just MassImportService. Acceptable tradeoff for testability in this case; there's no other class in the package that should be calling it directly.

Test helper methods — buildXxeOds, buildValidOds, writeOdsZip

All three helpers are under 20 lines
writeOdsZip is correctly extracted as a shared helper
The Javadoc comment on buildValidOds noting cellValue must not contain XML metacharacters is a good, intentional "why" comment
XML string concatenation in test helpers is acceptable — no production input reaches this code path, and the test fixtures are constructed values, not user input

Naming

hardenedFactory() — clear
buildXxeOds / buildValidOds / writeOdsZip — all reveal intent
readOds_rejects_xxe_doctype_payload — reads as a behavior sentence

Suggestions (non-blocking)

XxeSafeXmlParser — consider making it package-accessible only via hardenedFactory

The class is already package-private (class, not public class). This is correct. Just noting it explicitly for future reviewers: if someone tries to subclass or extend XxeSafeXmlParser, the private constructor plus package-private class will prevent it at compile time. No action needed.

One minor nit: buildXxeOds javadoc

The buildXxeOds method has no Javadoc. The corresponding buildValidOds has one noting the metacharacter constraint. Adding a brief comment to buildXxeOds about the entity target parameter format would be consistent — very low priority.

Overall

Tight, TDD-compliant, readable. No blockers. The scope is minimal and correct. The visibility change on readOds is the one thing to keep in mind if the importing package grows.

## 👨‍💻 Felix Brandt — Senior Fullstack Developer **Verdict: ✅ Approved** Clean, focused, and test-first. The change does one thing and does it well. My usual checklist found very little to flag. --- ### What I Checked **TDD evidence** The PR description explicitly states "Regression test was red before the fix... green after." Both test methods (`readOds_rejects_xxe_doctype_payload`, `readOds_parses_valid_ods_correctly`) were written to prove the behavior, not after the fact. Red/green/refactor is visible in the commit history. **`XxeSafeXmlParser.java` — clean code assessment** - Private constructor: correct utility class pattern - `hardenedFactory()` is a single-purpose method, under 20 lines — passes the one-job rule - The method name reveals intent without needing a comment: `hardenedFactory()` is self-documenting - Package-private visibility (`class`, not `public class`) is appropriate — the factory is an `importing`-domain detail, not a shared utility **`MassImportService.java` — visibility widening** The diff changes `readOds` from `private` to package-private (`List<List<String>> readOds(...)`). This is necessary to allow `MassImportServiceTest` (same package) to call it directly. Understood — but it's worth knowing this makes `readOds` callable by any class in the `importing` package, not just `MassImportService`. Acceptable tradeoff for testability in this case; there's no other class in the package that should be calling it directly. **Test helper methods — `buildXxeOds`, `buildValidOds`, `writeOdsZip`** - All three helpers are under 20 lines - `writeOdsZip` is correctly extracted as a shared helper - The Javadoc comment on `buildValidOds` noting `cellValue must not contain XML metacharacters` is a good, intentional "why" comment - XML string concatenation in test helpers is acceptable — no production input reaches this code path, and the test fixtures are constructed values, not user input **Naming** - `hardenedFactory()` — clear - `buildXxeOds` / `buildValidOds` / `writeOdsZip` — all reveal intent - `readOds_rejects_xxe_doctype_payload` — reads as a behavior sentence --- ### Suggestions (non-blocking) **`XxeSafeXmlParser` — consider making it package-accessible only via `hardenedFactory`** The class is already package-private (`class`, not `public class`). This is correct. Just noting it explicitly for future reviewers: if someone tries to subclass or extend `XxeSafeXmlParser`, the private constructor plus package-private class will prevent it at compile time. No action needed. **One minor nit: `buildXxeOds` javadoc** The `buildXxeOds` method has no Javadoc. The corresponding `buildValidOds` has one noting the metacharacter constraint. Adding a brief comment to `buildXxeOds` about the entity target parameter format would be consistent — very low priority. --- ### Overall Tight, TDD-compliant, readable. No blockers. The scope is minimal and correct. The visibility change on `readOds` is the one thing to keep in mind if the `importing` package grows.

marcel commented

2026-05-17 16:19:55 +02:00

🏛️ Markus Keller — Senior Application Architect

Verdict: ⚠️ Approved with concerns

The fix is architecturally sound. My concern is documentation: a new class has been added to the importing package, and the doc update table requires a check against C4 diagrams and CLAUDE.md for new backend components.

Architecture Assessment

Package placement

XxeSafeXmlParser lives in org.raddatz.familienarchiv.importing. This is correct — it's a private implementation detail of the import domain, not a shared infrastructure utility. The package-private visibility (class, not public class) enforces this boundary at compile time. Well done.

Static utility pattern

I noted in the architect persona that static utility methods that hide dependencies can make testing harder. In this case, hardenedFactory() is a pure factory method with no external state — it takes no dependencies, produces a deterministic output, and is tested directly through MassImportService. The static pattern is appropriate here; injecting a DocumentBuilderFactory supplier would add complexity with no benefit.

No layer boundary violations

MassImportService calls XxeSafeXmlParser.hardenedFactory() — both are in the importing package. No cross-domain boundary is crossed. Services-calling-repositories pattern is unchanged.

readOds visibility widening

The method changes from private to package-private to allow direct testing. This is an accepted TDD tradeoff. There is currently only one other class in the importing package (XxeSafeXmlParser), so the surface area is minimal.

Blocker: Documentation check required

Per the architecture documentation rules, adding a new class to an existing backend domain requires checking whether the C4 diagram for that domain needs updating:

What changed	Required doc update
New class in existing backend domain (`importing/`)	Matching `docs/architecture/c4/l3-backend-*.puml` for that domain

Please confirm whether docs/architecture/c4/ contains an importing domain diagram. If it does, XxeSafeXmlParser should appear in it. If the diagram does not model individual classes (only services and controllers), this can be confirmed and closed.

Also: this PR introduces XxeSafeXmlParser as a new security utility pattern in the codebase. If this is the intended pattern for all future XML parsing (which the Semgrep rule strongly implies it should be), an ADR entry or a note in CLAUDE.md's importing section would prevent future developers from re-inventing this. Not a hard blocker if the scope is intentionally limited to this single fix, but worth a decision.

Semgrep CI job placement

The new semgrep-scan job runs in parallel with other jobs rather than being gated on unit tests. This is correct — static analysis should give fast feedback independently. The --error flag ensures failures block the build. No concerns here.

Summary

Architecturally clean. The only action required is a quick check on whether the C4 L3 diagram for the importing domain needs updating with XxeSafeXmlParser. Everything else is in order.

## 🏛️ Markus Keller — Senior Application Architect **Verdict: ⚠️ Approved with concerns** The fix is architecturally sound. My concern is documentation: a new class has been added to the `importing` package, and the doc update table requires a check against C4 diagrams and `CLAUDE.md` for new backend components. --- ### Architecture Assessment **Package placement** `XxeSafeXmlParser` lives in `org.raddatz.familienarchiv.importing`. This is correct — it's a private implementation detail of the import domain, not a shared infrastructure utility. The package-private visibility (`class`, not `public class`) enforces this boundary at compile time. Well done. **Static utility pattern** I noted in the architect persona that static utility methods that hide dependencies can make testing harder. In this case, `hardenedFactory()` is a pure factory method with no external state — it takes no dependencies, produces a deterministic output, and is tested directly through `MassImportService`. The static pattern is appropriate here; injecting a `DocumentBuilderFactory` supplier would add complexity with no benefit. **No layer boundary violations** `MassImportService` calls `XxeSafeXmlParser.hardenedFactory()` — both are in the `importing` package. No cross-domain boundary is crossed. Services-calling-repositories pattern is unchanged. **`readOds` visibility widening** The method changes from `private` to package-private to allow direct testing. This is an accepted TDD tradeoff. There is currently only one other class in the `importing` package (`XxeSafeXmlParser`), so the surface area is minimal. --- ### Blocker: Documentation check required Per the architecture documentation rules, adding a new class to an existing backend domain requires checking whether the C4 diagram for that domain needs updating: | What changed | Required doc update | |---|---| | New class in existing backend domain (`importing/`) | Matching `docs/architecture/c4/l3-backend-*.puml` for that domain | Please confirm whether `docs/architecture/c4/` contains an `importing` domain diagram. If it does, `XxeSafeXmlParser` should appear in it. If the diagram does not model individual classes (only services and controllers), this can be confirmed and closed. Also: this PR introduces `XxeSafeXmlParser` as a new security utility pattern in the codebase. If this is the intended pattern for all future XML parsing (which the Semgrep rule strongly implies it should be), an ADR entry or a note in `CLAUDE.md`'s importing section would prevent future developers from re-inventing this. Not a hard blocker if the scope is intentionally limited to this single fix, but worth a decision. --- ### Semgrep CI job placement The new `semgrep-scan` job runs in parallel with other jobs rather than being gated on unit tests. This is correct — static analysis should give fast feedback independently. The `--error` flag ensures failures block the build. No concerns here. --- ### Summary Architecturally clean. The only action required is a quick check on whether the C4 L3 diagram for the `importing` domain needs updating with `XxeSafeXmlParser`. Everything else is in order.

marcel commented

2026-05-17 16:20:07 +02:00

🚀 Tobias Wendt (@tobiwendt) — DevOps & Platform Engineer

Verdict: ✅ Approved

The CI job is clean, minimal, and fits the existing pipeline structure. A few observations, nothing blocking.

What I Checked

semgrep-scan job in .gitea/workflows/ci.yml

Version pinning ✅

- name: Install Semgrep
  run: pip install semgrep==1.163.0

Semgrep is pinned to 1.163.0. This is exactly right — unpinned tools in CI produce non-reproducible builds. Renovate should pick this up for automated version bump PRs.

Python version ✅

- uses: actions/setup-python@v5
  with:
    python-version: '3.11'
    cache: 'pip'

setup-python@v5 is current (not deprecated). Python 3.11 is appropriate. cache: 'pip' reduces install time on subsequent runs.

--metrics=off flag ✅

Prevents Semgrep from phoning home during CI runs. Correct for a self-hosted setup where outbound traffic from the runner should be minimal.

--error flag ✅

Exits non-zero on any finding. This means new unprotected XML parser factories block the build. Exactly what a security gate should do.

Parallelism ✅

The job runs in parallel with backend-unit-tests (no needs: dependency). This is intentional per the comment and correct — static analysis should run independently for fast feedback.

Suggestions (non-blocking)

1. No cache for the Semgrep pip install beyond setup-python's built-in cache: 'pip'

The pip install semgrep==1.163.0 will be cached by setup-python's cache: 'pip' on subsequent runs with the same Python version. This is sufficient. No additional actions/cache step needed.

2. Consider adding Semgrep to the Renovate config

If Renovate is configured for this repo, the semgrep==1.163.0 version pin in the workflow file should be covered by a Renovate pip packageRule to get automated update PRs. Worth checking renovate.json or .renovaterc to confirm Semgrep is in scope. Not blocking — just a maintenance hygiene note.

3. Checkout action version

- uses: actions/checkout@v4

actions/checkout@v4 is current. ✅

Overall

Clean CI job. Minimal, correct, and reproducible. No action required from a DevOps perspective.

## 🚀 Tobias Wendt (@tobiwendt) — DevOps & Platform Engineer **Verdict: ✅ Approved** The CI job is clean, minimal, and fits the existing pipeline structure. A few observations, nothing blocking. --- ### What I Checked **`semgrep-scan` job in `.gitea/workflows/ci.yml`** **Version pinning** ✅ ```yaml - name: Install Semgrep run: pip install semgrep==1.163.0 ``` Semgrep is pinned to `1.163.0`. This is exactly right — unpinned tools in CI produce non-reproducible builds. Renovate should pick this up for automated version bump PRs. **Python version** ✅ ```yaml - uses: actions/setup-python@v5 with: python-version: '3.11' cache: 'pip' ``` `setup-python@v5` is current (not deprecated). Python 3.11 is appropriate. `cache: 'pip'` reduces install time on subsequent runs. **`--metrics=off` flag** ✅ Prevents Semgrep from phoning home during CI runs. Correct for a self-hosted setup where outbound traffic from the runner should be minimal. **`--error` flag** ✅ Exits non-zero on any finding. This means new unprotected XML parser factories block the build. Exactly what a security gate should do. **Parallelism** ✅ The job runs in parallel with `backend-unit-tests` (no `needs:` dependency). This is intentional per the comment and correct — static analysis should run independently for fast feedback. --- ### Suggestions (non-blocking) **1. No cache for the Semgrep pip install beyond `setup-python`'s built-in `cache: 'pip'`** The `pip install semgrep==1.163.0` will be cached by `setup-python`'s `cache: 'pip'` on subsequent runs with the same Python version. This is sufficient. No additional `actions/cache` step needed. **2. Consider adding Semgrep to the Renovate config** If Renovate is configured for this repo, the `semgrep==1.163.0` version pin in the workflow file should be covered by a Renovate `pip` packageRule to get automated update PRs. Worth checking `renovate.json` or `.renovaterc` to confirm Semgrep is in scope. Not blocking — just a maintenance hygiene note. **3. Checkout action version** ```yaml - uses: actions/checkout@v4 ``` `actions/checkout@v4` is current. ✅ --- ### Overall Clean CI job. Minimal, correct, and reproducible. No action required from a DevOps perspective.

marcel commented

2026-05-17 16:20:27 +02:00

🧪 Sara Holt (@saraholt) — QA Engineer & Test Strategist

Verdict: ✅ Approved

Both tests are well-structured, correctly placed in the test pyramid, and the regression test is permanently anchored with a // Security regression — do not remove. comment. Coverage of the fix is complete.

Test Quality Assessment

Test names — descriptive sentence format ✅

void readOds_rejects_xxe_doctype_payload(@TempDir Path tempDir)
void readOds_parses_valid_ods_correctly(@TempDir Path tempDir)

Both names read as behavior descriptions. When they fail in CI, the developer knows what broke without opening the test body.

Arrange-Act-Assert structure ✅

readOds_rejects_xxe_doctype_payload:

Arrange: buildXxeOds(tempDir, "file:///etc/hostname") — realistic, specific payload
Act + Assert: assertThatThrownBy(() -> service.readOds(malicious)).isInstanceOf(SAXParseException.class).hasMessageContaining("DOCTYPE is disallowed")

readOds_parses_valid_ods_correctly:

Arrange: buildValidOds(tempDir, "Mustermann")
Act: service.readOds(valid)
Assert: rows.isNotEmpty() + rows.get(0).contains("Mustermann")

One logical assertion per test ✅

The XXE test asserts on the exception type AND message in a single assertThatThrownBy chain — this is one logical assertion (exception with specific characteristics). The guard test asserts both non-empty and cell value, which is acceptable since they describe the same behavior (ODS parsed correctly).

Test layer placement ✅

These are unit-ish tests: MassImportServiceTest uses @ExtendWith(MockitoExtension.class) with mocked dependencies. The readOds tests use @TempDir and real ZIP construction — no Spring context, no database. They belong exactly here: fast, isolated, sub-second execution.

Helper method quality ✅

buildXxeOds, buildValidOds, and writeOdsZip are all under 20 lines and well-factored. writeOdsZip is correctly extracted as a shared helper rather than duplicated. The parameterization of entityTarget in buildXxeOds allows future tests to target different payloads (local file, remote URL, etc.) without new helpers.

@TempDir usage ✅

@TempDir Path tempDir is the correct JUnit 5 pattern for temporary file tests. Files are automatically cleaned up after each test — no @AfterEach teardown needed.

Suggestions (non-blocking)

1. Consider a second XXE payload variant — network-based SSRF

The current test uses file:///etc/hostname. A network-based entity target (http://169.254.169.254/latest/meta-data/) would cover the SSRF via XXE vector as well. Not required — disallow-doctype-decl = true blocks both equally — but it would make the test's coverage of the threat model more explicit:

@ParameterizedTest
@ValueSource(strings = {
    "file:///etc/hostname",
    "http://169.254.169.254/latest/meta-data/"
})
void readOds_rejects_xxe_doctype_payload(String target, @TempDir Path tempDir) throws Exception {
    File malicious = buildXxeOds(tempDir, target);
    assertThatThrownBy(() -> service.readOds(malicious))
            .isInstanceOf(SAXParseException.class)
            .hasMessageContaining("DOCTYPE is disallowed");
}

Non-blocking — the current test is sufficient. This is a "nice to have" for documentation-by-test purposes.

2. Guard test assertion could be more specific

assertThat(rows.get(0)).contains("Mustermann");

contains checks that the list contains the string "Mustermann" as one element. This is fine. If the ODS parsing ever changes row structure, this will catch it. No issue.

Coverage Assessment

The security fix in XxeSafeXmlParser.hardenedFactory() is covered indirectly through MassImportServiceTest. Direct unit tests on the factory method (as suggested by Nora) would give more granular failure messages if a feature flag were ever inadvertently removed, but the current integration-style coverage is not a gap for test strategy purposes.

Overall

The test suite for this fix is solid. Both behavioral and regression coverage are present. No blockers.

## 🧪 Sara Holt (@saraholt) — QA Engineer & Test Strategist **Verdict: ✅ Approved** Both tests are well-structured, correctly placed in the test pyramid, and the regression test is permanently anchored with a `// Security regression — do not remove.` comment. Coverage of the fix is complete. --- ### Test Quality Assessment **Test names — descriptive sentence format** ✅ ```java void readOds_rejects_xxe_doctype_payload(@TempDir Path tempDir) void readOds_parses_valid_ods_correctly(@TempDir Path tempDir) ``` Both names read as behavior descriptions. When they fail in CI, the developer knows what broke without opening the test body. **Arrange-Act-Assert structure** ✅ `readOds_rejects_xxe_doctype_payload`: - Arrange: `buildXxeOds(tempDir, "file:///etc/hostname")` — realistic, specific payload - Act + Assert: `assertThatThrownBy(() -> service.readOds(malicious)).isInstanceOf(SAXParseException.class).hasMessageContaining("DOCTYPE is disallowed")` `readOds_parses_valid_ods_correctly`: - Arrange: `buildValidOds(tempDir, "Mustermann")` - Act: `service.readOds(valid)` - Assert: `rows.isNotEmpty()` + `rows.get(0).contains("Mustermann")` **One logical assertion per test** ✅ The XXE test asserts on the exception type AND message in a single `assertThatThrownBy` chain — this is one logical assertion (exception with specific characteristics). The guard test asserts both non-empty and cell value, which is acceptable since they describe the same behavior (ODS parsed correctly). **Test layer placement** ✅ These are unit-ish tests: `MassImportServiceTest` uses `@ExtendWith(MockitoExtension.class)` with mocked dependencies. The `readOds` tests use `@TempDir` and real ZIP construction — no Spring context, no database. They belong exactly here: fast, isolated, sub-second execution. **Helper method quality** ✅ `buildXxeOds`, `buildValidOds`, and `writeOdsZip` are all under 20 lines and well-factored. `writeOdsZip` is correctly extracted as a shared helper rather than duplicated. The parameterization of `entityTarget` in `buildXxeOds` allows future tests to target different payloads (local file, remote URL, etc.) without new helpers. **`@TempDir` usage** ✅ `@TempDir Path tempDir` is the correct JUnit 5 pattern for temporary file tests. Files are automatically cleaned up after each test — no `@AfterEach` teardown needed. --- ### Suggestions (non-blocking) **1. Consider a second XXE payload variant — network-based SSRF** The current test uses `file:///etc/hostname`. A network-based entity target (`http://169.254.169.254/latest/meta-data/`) would cover the SSRF via XXE vector as well. Not required — `disallow-doctype-decl = true` blocks both equally — but it would make the test's coverage of the threat model more explicit: ```java @ParameterizedTest @ValueSource(strings = { "file:///etc/hostname", "http://169.254.169.254/latest/meta-data/" }) void readOds_rejects_xxe_doctype_payload(String target, @TempDir Path tempDir) throws Exception { File malicious = buildXxeOds(tempDir, target); assertThatThrownBy(() -> service.readOds(malicious)) .isInstanceOf(SAXParseException.class) .hasMessageContaining("DOCTYPE is disallowed"); } ``` Non-blocking — the current test is sufficient. This is a "nice to have" for documentation-by-test purposes. **2. Guard test assertion could be more specific** ```java assertThat(rows.get(0)).contains("Mustermann"); ``` `contains` checks that the list contains the string `"Mustermann"` as one element. This is fine. If the ODS parsing ever changes row structure, this will catch it. No issue. --- ### Coverage Assessment The security fix in `XxeSafeXmlParser.hardenedFactory()` is covered indirectly through `MassImportServiceTest`. Direct unit tests on the factory method (as suggested by Nora) would give more granular failure messages if a feature flag were ever inadvertently removed, but the current integration-style coverage is not a gap for test strategy purposes. ### Overall The test suite for this fix is solid. Both behavioral and regression coverage are present. No blockers.

marcel commented

2026-05-17 16:20:42 +02:00

📋 Elicit — Requirements Engineer & Business Analyst

Verdict: ✅ Approved

This PR directly closes issue #528. The implemented scope matches the stated requirements precisely, with no scope creep and no missing acceptance criteria.

Requirements Traceability Check

Issue #528 scope vs. implementation

Based on the PR description and diff, the delivered scope is:

Requirement	Delivered
Harden `DocumentBuilderFactory` against XXE	✅ `XxeSafeXmlParser.hardenedFactory()` applies all 6 OWASP controls
Replace unsafe factory call in `MassImportService.readOds()`	✅ One-line replacement, `factory.setNamespaceAware(true)` preserved
Regression test proving vulnerability existed	✅ `readOds_rejects_xxe_doctype_payload` with realistic payload
Guard test preserving valid ODS behavior	✅ `readOds_parses_valid_ods_correctly`
Semgrep rule to prevent regression at the class level	✅ Three rules covering DOM, SAX, and StAX factory types
CI gate to enforce the Semgrep rule	✅ `semgrep-scan` job with `--error` flag

Acceptance criteria coverage

The PR's test plan section mirrors the acceptance criteria of issue #528 exactly. All four items are verified by the implementation and test suite.

Scope Assessment

No gold-plating ✅

The PR does not extend hardening to other XML contexts that weren't part of the issue (e.g., OCR service, other parsers). The Semgrep rules ensure those would be caught if they emerge — the detection capability is established without over-reaching the fix.

No scope gaps ✅

The PR description notes that POI does not expose the vulnerable code path — the vulnerable factory is the custom call in readOds(). This is correctly scoped.

Non-functional requirements ✅

Test suite: 1607 tests, 0 failures (stated in PR description)
Coverage gate: passes (stated in PR description)
CI: parallel job, no blocking impact on pipeline time

One Open Question (informational, not blocking)

The Semgrep rules cover DocumentBuilderFactory, SAXParserFactory, and XMLInputFactory. The PR only fixes a DocumentBuilderFactory call. If the codebase were ever to add SAX or StAX parser usage, the rules would catch it — but there's no corresponding hardened utility for those factory types yet (XxeSafeXmlParser.hardenedFactory() returns only DocumentBuilderFactory).

This is not a gap for this PR (those factory types aren't in use), but it's worth noting in the issue as a future consideration: if SAX or StAX parsers are added, the pattern should be extended. Recommend adding a note to issue #528 before closing, or creating a follow-up item.

Overall

Precisely scoped to the issue. Requirements are fully met. No missing acceptance criteria, no untracked scope additions.

## 📋 Elicit — Requirements Engineer & Business Analyst **Verdict: ✅ Approved** This PR directly closes issue #528. The implemented scope matches the stated requirements precisely, with no scope creep and no missing acceptance criteria. --- ### Requirements Traceability Check **Issue #528 scope vs. implementation** Based on the PR description and diff, the delivered scope is: | Requirement | Delivered | |---|---| | Harden `DocumentBuilderFactory` against XXE | ✅ `XxeSafeXmlParser.hardenedFactory()` applies all 6 OWASP controls | | Replace unsafe factory call in `MassImportService.readOds()` | ✅ One-line replacement, `factory.setNamespaceAware(true)` preserved | | Regression test proving vulnerability existed | ✅ `readOds_rejects_xxe_doctype_payload` with realistic payload | | Guard test preserving valid ODS behavior | ✅ `readOds_parses_valid_ods_correctly` | | Semgrep rule to prevent regression at the class level | ✅ Three rules covering DOM, SAX, and StAX factory types | | CI gate to enforce the Semgrep rule | ✅ `semgrep-scan` job with `--error` flag | **Acceptance criteria coverage** The PR's test plan section mirrors the acceptance criteria of issue #528 exactly. All four items are verified by the implementation and test suite. --- ### Scope Assessment **No gold-plating** ✅ The PR does not extend hardening to other XML contexts that weren't part of the issue (e.g., OCR service, other parsers). The Semgrep rules ensure those would be caught if they emerge — the detection capability is established without over-reaching the fix. **No scope gaps** ✅ The PR description notes that POI does not expose the vulnerable code path — the vulnerable factory is the *custom* call in `readOds()`. This is correctly scoped. **Non-functional requirements** ✅ - Test suite: 1607 tests, 0 failures (stated in PR description) - Coverage gate: passes (stated in PR description) - CI: parallel job, no blocking impact on pipeline time --- ### One Open Question (informational, not blocking) The Semgrep rules cover `DocumentBuilderFactory`, `SAXParserFactory`, and `XMLInputFactory`. The PR only fixes a `DocumentBuilderFactory` call. If the codebase were ever to add SAX or StAX parser usage, the rules would catch it — but there's no corresponding hardened utility for those factory types yet (`XxeSafeXmlParser.hardenedFactory()` returns only `DocumentBuilderFactory`). This is not a gap for this PR (those factory types aren't in use), but it's worth noting in the issue as a future consideration: if SAX or StAX parsers are added, the pattern should be extended. Recommend adding a note to issue #528 before closing, or creating a follow-up item. --- ### Overall Precisely scoped to the issue. Requirements are fully met. No missing acceptance criteria, no untracked scope additions.

marcel commented

2026-05-17 16:20:48 +02:00

🎨 Leonie Voss (@leonievoss) — UI/UX Design Lead

Verdict: ✅ Approved

This PR is entirely backend and CI — no frontend components, no routes, no UI changes, no Svelte files, no Tailwind classes, no accessibility concerns.

What I Checked

This PR touches:

backend/src/main/java/org/raddatz/familienarchiv/importing/XxeSafeXmlParser.java — new Java utility class
backend/src/main/java/org/raddatz/familienarchiv/importing/MassImportService.java — one-line factory replacement
backend/src/test/java/org/raddatz/familienarchiv/importing/MassImportServiceTest.java — test additions
.semgrep/security.yml — new Semgrep rules
.gitea/workflows/ci.yml — new CI job

None of these files have any user-facing UI surface. There are no Svelte components, no route changes, no i18n keys added or removed, no design tokens touched, and no frontend code of any kind.

From a UX perspective, this PR reduces the risk of a security incident (XXE file exfiltration) that could have impacted user trust and data confidentiality — which is ultimately a UX concern. But the implementation is invisible to users, which is exactly as it should be for a security hardening fix.

No UI findings. LGTM.

## 🎨 Leonie Voss (@leonievoss) — UI/UX Design Lead **Verdict: ✅ Approved** This PR is entirely backend and CI — no frontend components, no routes, no UI changes, no Svelte files, no Tailwind classes, no accessibility concerns. --- ### What I Checked This PR touches: - `backend/src/main/java/org/raddatz/familienarchiv/importing/XxeSafeXmlParser.java` — new Java utility class - `backend/src/main/java/org/raddatz/familienarchiv/importing/MassImportService.java` — one-line factory replacement - `backend/src/test/java/org/raddatz/familienarchiv/importing/MassImportServiceTest.java` — test additions - `.semgrep/security.yml` — new Semgrep rules - `.gitea/workflows/ci.yml` — new CI job None of these files have any user-facing UI surface. There are no Svelte components, no route changes, no i18n keys added or removed, no design tokens touched, and no frontend code of any kind. From a UX perspective, this PR reduces the risk of a security incident (XXE file exfiltration) that could have impacted user trust and data confidentiality — which is ultimately a UX concern. But the implementation is invisible to users, which is exactly as it should be for a security hardening fix. No UI findings. LGTM.

marcel merged commit 669eaa7c65 into main

2026-05-17 16:42:10 +02:00

marcel deleted branch feat/issue-528-xxe-hardening

2026-05-17 16:42:11 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#610