new capacity bits (#67)

tests/fixtures/xxe/java/UnsafeLog4jConfig.java

@@ -0,0 +1,23 @@
+// Unsafe: Log4Shell-shape XXE leg.  The DOMConfigurator-style loader
+// reads an XML config file path supplied by the user, then parses it
+// through DocumentBuilder without enabling FEATURE_SECURE_PROCESSING or
+// disallowing DOCTYPE declarations.  External entities resolve, giving
+// the attacker a file-disclosure / SSRF primitive on the host.  Real-
+// world precedent: CVE-2022-23305 / CVE-2022-23307 (Log4j 1.x JDBC /
+// chainsaw config XXE).  Exercises the TypeFacts-tagged builder receiver
+// + xml_config sidecar end-to-end: builder is XmlParser-typed, no
+// secure-processing fact recorded, parse fires the XXE sink.
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import org.w3c.dom.Document;
+import java.io.File;
+
+public class UnsafeLog4jConfig {
+    public Document loadConfig(HttpServletRequest req) throws Exception {
+        String configPath = req.getParameter("config");
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        return builder.parse(new File(configPath));
+    }
+}