The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By default, the XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack. Recommendations Configure the XML parser to disable external entity resolution. Flaw Id: 7 Module: poi-ooxml-4.1.0.jar Location : OOXMLPrettyPrint.java 108 Flaw Id: 8 Module: poi-ooxml-4.1.0.jar Location : OOXMLPrettyPrint.java 135
Every now and then we get findings on dev classes, which aren't meant for production code, but do reside in the release. These dev/sample classes usually don't get much attention after they've been thrown in the trunk. I would prefer to move those classes to the test area or link something like a github project, so it's neither POIs direct responsibility nor do those cases bubble up when the library get scanned ... more important, we'd get results for real production code problems ...
I made a change (https://svn.apache.org/repos/asf/poi/trunk@1865720) - but I agree that we should move these util classes to new code base to keep them out of the jars we publish to maven central.