fix: address XXE in JaxbIO parsing (#2313)

ge0ffrey · web-flow · commit 2651d30002a8 · 2026-05-21T12:45:56.000+02:00
CWE-611: createUnmarshaller().unmarshal(Reader) lets the JAXB provider build its own SAX parser with default settings — external general entities, parameter entities, and DTD loading are not disabled.
diff --git a/core/src/main/java/ai/timefold/solver/core/impl/io/jaxb/GenericJaxbIO.java b/core/src/main/java/ai/timefold/solver/core/impl/io/jaxb/GenericJaxbIO.java
@@ -124,7 +124,7 @@ public GenericJaxbIO(Class<T> rootClass, int indentation) {
 
     public T read(Reader reader) {
         try {
-            return (T) createUnmarshaller().unmarshal(reader);
+            return (T) createUnmarshaller().unmarshal(parseXml(reader));
         } catch (JAXBException jaxbException) {
             throw new TimefoldXmlSerializationException(ERR_MSG_READ.formatted(rootClass.getName()), jaxbException);
         }

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ public GenericJaxbIO(Class<T> rootClass, int indentation) {`
`124`	`124`
`125`	`125`	`public T read(Reader reader) {`
`126`	`126`	`try {`
`127`		`- return (T) createUnmarshaller().unmarshal(reader);`
	`127`	`+ return (T) createUnmarshaller().unmarshal(parseXml(reader));`
`128`	`128`	`} catch (JAXBException jaxbException) {`
`129`	`129`	`throw new TimefoldXmlSerializationException(ERR_MSG_READ.formatted(rootClass.getName()), jaxbException);`
`130`	`130`	`}`