Update plugin to use commons.digester3

The change is based on the jenkinsci/jenkins#5320 PR
jenkinsci · Apr 8, 2022 · b752a15 · b752a15
1 parent ad0a864
commit b752a15
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/src/main/java/hudson/plugins/cocoemma/CoverageReport.java b/src/main/java/hudson/plugins/cocoemma/CoverageReport.java
@@ -1,7 +1,8 @@
 package hudson.plugins.cocoemma;
 
 import hudson.model.AbstractBuild;
-import org.apache.commons.digester.Digester;
+import org.apache.commons.digester3.Digester;
+import javax.xml.parsers.ParserConfigurationException;
 import org.xml.sax.SAXException;
 
 import java.io.File;
@@ -25,7 +26,7 @@ public CoverageReport(EmmaBuildAction action, InputStream... xmlReports) throws
         this(action);
         for (InputStream is: xmlReports) {
           try {
-            createDigester().parse(is);
+            createDigester(!Boolean.getBoolean(this.getClass().getName() + ".UNSAFE")).parse(is);
           } catch (SAXException e) {
               throw new IOException("Failed to parse XML",e);
           }
@@ -36,7 +37,7 @@ public CoverageReport(EmmaBuildAction action, InputStream... xmlReports) throws
     public CoverageReport(EmmaBuildAction action, File xmlReport) throws IOException {
         this(action);
         try {
-            createDigester().parse(xmlReport);
+            createDigester(!Boolean.getBoolean(this.getClass().getName() + ".UNSAFE")).parse(xmlReport);
         } catch (SAXException e) {
             throw new IOException("Failed to parse "+xmlReport,e);
         }
@@ -60,8 +61,20 @@ public AbstractBuild<?,?> getBuild() {
     /**
      * Creates a configured {@link Digester} instance for parsing report XML.
      */
-    private Digester createDigester() {
+    private Digester createDigester(boolean secure) throws SAXException {
         Digester digester = new Digester();
+
+        if (secure) {
+            digester.setXIncludeAware(false);
+            try {
+                digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            } catch (ParserConfigurationException ex) {
+                throw new SAXException("Failed to securely configure xml digester parser", ex);
+            }
+        }
         digester.setClassLoader(getClass().getClassLoader());
 
         digester.push(this);