From dc45ba56275f3a3cf7ba4eb2348af10cdf8fd380 Mon Sep 17 00:00:00 2001
From: yh-semmle <yh@semmle.com>
Date: Wed, 31 Jul 2019 15:45:28 -0400
Subject: [PATCH] Java: update XXE qhelp with note on processing limits

---
 java/ql/src/Security/CWE/CWE-611/XXE.qhelp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/java/ql/src/Security/CWE/CWE-611/XXE.qhelp b/java/ql/src/Security/CWE/CWE-611/XXE.qhelp
index b9537ba8f09..75c5a2d4d7a 100644
--- a/java/ql/src/Security/CWE/CWE-611/XXE.qhelp
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.qhelp
@@ -25,6 +25,8 @@ external entities. This query currently identifies vulnerable XML parsing from t
 The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data.
 If this is not possible you should disable the parsing of external general entities and external parameter entities.
 This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
+Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done
+by default in recent JDK and JRE implementations.
 </p>
 </recommendation>
 
@@ -64,6 +66,10 @@ Out-of-band data retrieval: Timur Yunusov &amp; Alexey Osipov, Black hat EU 2013
 Denial of service attack (Billion laughs):
 <a href="https://en.wikipedia.org/wiki/Billion_laughs">Billion Laughs.</a>
 </li>
+<li>
+The Java Tutorials:
+<a href="https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html">Processing Limit Definitions.</a>
+</li>
 
 </references>