BZ1158017: fix potential XXE vulnerability in jBPM simulation.

kiegroup · Jan 5, 2015 · 2d2074a · 2d2074a
1 parent 5af592f
commit 2d2074a
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/jbpm-simulation/src/main/java/org/jbpm/simulation/util/JBPMBpmn2ResourceImpl.java b/jbpm-simulation/src/main/java/org/jbpm/simulation/util/JBPMBpmn2ResourceImpl.java
@@ -1,17 +1,27 @@
 package org.jbpm.simulation.util;
 
+import java.util.HashMap;
+import java.util.Map;
+
 import org.eclipse.bpmn2.Bpmn2Package;
 import org.eclipse.bpmn2.util.Bpmn2ResourceImpl;
 import org.eclipse.emf.common.util.URI;
 import org.eclipse.emf.ecore.EObject;
 import org.eclipse.emf.ecore.EStructuralFeature;
+import org.eclipse.emf.ecore.xmi.XMLResource;
 import org.eclipse.emf.ecore.xmi.XMLSave;
 
 public class JBPMBpmn2ResourceImpl extends Bpmn2ResourceImpl {
 
 	public JBPMBpmn2ResourceImpl(URI uri) {
 		super(uri);
-	}
+
+        // Switch off DTD external entity processing
+        Map parserFeatures = new HashMap();
+        parserFeatures.put("http://xml.org/sax/features/external-general-entities", false);
+        this.getDefaultLoadOptions().put(XMLResource.OPTION_PARSER_FEATURES, parserFeatures);
+
+    }
 
 	@Override
     protected XMLSave createXMLSave() {