From d707cfa4237f2bf28cbd2387778c663a816d5cb9 Mon Sep 17 00:00:00 2001
From: stijnpotters <stijn.potters1@gmail.com>
Date: Fri, 23 Jan 2026 15:31:04 +0100
Subject: [PATCH 1/2] fix: refactored xml parsing vulnerability

---
 .../org/frankframework/flow/project/Project.java     | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/frankframework/flow/project/Project.java b/src/main/java/org/frankframework/flow/project/Project.java
index 370d8f6..80f6d0b 100644
--- a/src/main/java/org/frankframework/flow/project/Project.java
+++ b/src/main/java/org/frankframework/flow/project/Project.java
@@ -23,7 +23,7 @@ public class Project {
     private String name;
     private String rootPath;
     private final ArrayList<Configuration> configurations;
-    private final ProjectSettings projectSettings;
+    @Getter private final ProjectSettings projectSettings;
 
     public Project(String name, String rootPath) {
         this.name = name;
@@ -45,11 +45,7 @@ public void setConfigurationXml(String filepath, String xmlContent) {
         }
     }
 
-    public ProjectSettings getProjectSettings() {
-        return this.projectSettings;
-    }
-
-    public boolean isFilterEnabled(FilterType type) {
+	public boolean isFilterEnabled(FilterType type) {
         return projectSettings.isEnabled(type);
     }
 
@@ -92,7 +88,7 @@ public boolean updateAdapter(String configurationName, String adapterName, Strin
     }
 
     private Document parseXml(String xmlContent) throws Exception {
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory factory = XmlSecurityUtils.createSecureDocumentBuilderFactory();
         factory.setIgnoringComments(true);
         factory.setNamespaceAware(true);
         DocumentBuilder builder = factory.newDocumentBuilder();
@@ -100,7 +96,7 @@ private Document parseXml(String xmlContent) throws Exception {
     }
 
     private Node parseNewAdapter(Document configDoc, String newAdapterXml) throws Exception {
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory factory = XmlSecurityUtils.createSecureDocumentBuilderFactory();
         factory.setIgnoringComments(true);
         factory.setNamespaceAware(true);
         DocumentBuilder builder = factory.newDocumentBuilder();

From bb38fc8ffdd1775e77bdfc044e8e974c3cb251c4 Mon Sep 17 00:00:00 2001
From: stijnpotters <stijn.potters1@gmail.com>
Date: Fri, 23 Jan 2026 15:33:40 +0100
Subject: [PATCH 2/2] fix: removed getter

---
 src/main/java/org/frankframework/flow/project/Project.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/frankframework/flow/project/Project.java b/src/main/java/org/frankframework/flow/project/Project.java
index 80f6d0b..abff592 100644
--- a/src/main/java/org/frankframework/flow/project/Project.java
+++ b/src/main/java/org/frankframework/flow/project/Project.java
@@ -23,7 +23,7 @@ public class Project {
     private String name;
     private String rootPath;
     private final ArrayList<Configuration> configurations;
-    @Getter private final ProjectSettings projectSettings;
+    private final ProjectSettings projectSettings;
 
     public Project(String name, String rootPath) {
         this.name = name;