From 0840707c82903a00a17db93b155becd737d4a5a5 Mon Sep 17 00:00:00 2001 From: Vithursa Date: Thu, 13 Feb 2020 11:11:03 +0530 Subject: [PATCH] Fix improper restriction of XXE --- .../processor/core/internal/storm/StormTopologyManager.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/components/event-processor/org.wso2.carbon.event.processor.core/src/main/java/org/wso2/carbon/event/processor/core/internal/storm/StormTopologyManager.java b/components/event-processor/org.wso2.carbon.event.processor.core/src/main/java/org/wso2/carbon/event/processor/core/internal/storm/StormTopologyManager.java index 0d1443df0..ed50c2f66 100644 --- a/components/event-processor/org.wso2.carbon.event.processor.core/src/main/java/org/wso2/carbon/event/processor/core/internal/storm/StormTopologyManager.java +++ b/components/event-processor/org.wso2.carbon.event.processor.core/src/main/java/org/wso2/carbon/event/processor/core/internal/storm/StormTopologyManager.java @@ -41,6 +41,7 @@ import org.wso2.carbon.utils.CarbonUtils; import org.yaml.snakeyaml.Yaml; +import javax.xml.XMLConstants; import javax.xml.stream.XMLStreamException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; @@ -151,7 +152,9 @@ public void killTopology(String executionPlanName, int tenantId) throws StormDep } private String getStringQueryPlan(Document document) throws TransformerException { - Transformer transformer = TransformerFactory.newInstance().newTransformer(); + TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); StringWriter sw = new StringWriter(); StreamResult result = new StreamResult(sw);