Provide for secure XML processing. (#318)

Provide for secure XML processing.
apereo · Jun 26, 2019 · e2f6b37 · e2f6b37
2 parents 5cca4f5 + 53c4e4a
commit e2f6b37
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/util/XmlUtils.java b/cas-client-core/src/main/java/org/jasig/cas/client/util/XmlUtils.java
@@ -61,13 +61,15 @@ public static Document newDocument(final String xml) {
         final Map<String, Boolean> features = new HashMap<String, Boolean>();
         features.put(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        features.put("http://apache.org/xml/features/disallow-doctype-decl", true);
         for (final Map.Entry<String, Boolean> entry : features.entrySet()) {
             try {
                 factory.setFeature(entry.getKey(), entry.getValue());
             } catch (ParserConfigurationException e) {
                 LOGGER.warn("Failed setting XML feature {}: {}", entry.getKey(), e);
             }
         }
+        factory.setExpandEntityReferences(false);
         factory.setNamespaceAware(true);
         try {
             return factory.newDocumentBuilder().parse(new InputSource(new StringReader(xml)));
@@ -83,11 +85,14 @@ public static Document newDocument(final String xml) {
      */
     public static XMLReader getXmlReader() {
         try {
-            final XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
-            reader.setFeature("http://xml.org/sax/features/namespaces", true);
-            reader.setFeature("http://xml.org/sax/features/namespace-prefixes", false);
-            reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-            return reader;
+            final SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setNamespaceAware(true);
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            return factory.newSAXParser().getXMLReader();
         } catch (final Exception e) {
             throw new RuntimeException("Unable to create XMLReader", e);
         }