HI！
I found that there are many places in ibm-cos-sdk-java that handle xml without disabling xml external entities, which may lead to xml external entity injection vulnerability.Take XmlUtil.java as an example：

The same problem still exists elsewhere：
parseRegionMetadata.java lline 118 ;
XpathUtils.java line 116;
parseXmlInputStream.java line 142;

Internal ticket reference: CSAFE-54086

@360CodeSafe how are you analysing the code? I see an issue within XmlUtils.java which needs patched and the related classes which use it. However parseRegionMetadata & parseXmlInputStream are more difficult to determine

We use the internal static code auditing tool (Qianxin Code Guardian) to do static code analysis and then manually review it.

The following is the data flow of our engine analysis：
1.parseRegionMetadata.java:


2.parseResponseSaxParser.java(Sorry, I may have made a mistake before.)

Because I don’t know much about the project, whether the input point is controlled by the attacker needs the developer’s own judgment.

@QiAnXinCodeSafe this issue has been resolved in the latest release of the SDK, version 2.5.0. Please review and let us know if this issue can be closed.