[#702] Disable access to external entities in XML parsing

goldmansachs · Sep 9, 2024 · 007272b · 007272b
1 parent 9261b20
commit 007272b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementDeserializer.java b/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementDeserializer.java
@@ -10,6 +10,7 @@
 import org.w3c.dom.Element;
 import org.xml.sax.InputSource;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import java.io.IOException;
@@ -37,6 +38,8 @@ public NSElement deserialize(JsonParser parser, DeserializationContext ctxt) thr
     private static Element toElement(String text) {
         try {
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             DocumentBuilder builder = factory.newDocumentBuilder();
             Document doc = builder.parse(new InputSource(new StringReader(text)));
             return doc.getDocumentElement();

diff --git a/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java b/dmn-core/src/main/java/com/gs/dmn/serialization/jackson/NSElementSerializer.java
@@ -6,6 +6,7 @@
 import com.gs.dmn.serialization.xstream.dom.NSElement;
 import org.w3c.dom.Element;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
@@ -26,12 +27,13 @@ public void serialize(NSElement element, JsonGenerator gen, SerializerProvider s
 
     private static String toXml(Element element) {
         try {
-            Transformer transformer = TransformerFactory.newInstance().newTransformer();
+            TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             StringWriter writer = new StringWriter();
+            Transformer transformer = factory.newTransformer();
             transformer.transform(new DOMSource(element), new StreamResult(writer));
-            String xmlString = writer.toString();
-            return xmlString;
-//            gen.writeString(xmlString);
+            return writer.toString();
         } catch (TransformerException e) {
             throw new RuntimeException("Error serializing DOM Element", e);
         }