Google Git
Sign in
apache / myfaces-tobago / 7da69d2f173302e4764bff7e3fac2a40cff05cad^! / .
commit7da69d2f173302e4764bff7e3fac2a40cff05cad[log] [tgz]
authorBernd Bohmann <bommel@apache.org>Tue Nov 24 12:18:04 2020 +0100
committerBernd Bohmann <bommel@apache.org>Tue Nov 24 12:21:21 2020 +0100
tree8504eac94bc8617b5a3c39172509bf08a0a4bba8
parent8f00101ba059a63ecf2ba7bc51ad5beef825769c [diff]
fixed codeql errors

diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/util/WebXmlUtils.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/util/WebXmlUtils.java
index 11cbb1d..3fe0498 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/util/WebXmlUtils.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/util/WebXmlUtils.java

@@ -19,6 +19,8 @@
 
 package org.apache.myfaces.tobago.util;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -28,11 +30,13 @@
 import javax.faces.context.ExternalContext;
 import javax.faces.context.FacesContext;
 import javax.servlet.ServletContext;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.lang.invoke.MethodHandles;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.ArrayList;
@@ -43,6 +47,8 @@
 
 public class WebXmlUtils {
 
+  private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
   private static final Map<Class<Throwable>, String> ERROR_PAGE_LOCATIONS = new HashMap<>();
 
   public static String getErrorPageLocation(final Throwable exception) {
@@ -124,7 +130,19 @@
       throws ParserConfigurationException, IOException, SAXException {
     final List<Document> webXmls = new ArrayList<>();
 
-    final DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+    final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    try {
+      factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+      factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+      factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+      factory.setXIncludeAware(false);
+      factory.setExpandEntityReferences(false);
+    } catch (ParserConfigurationException e) {
+      LOG.info("ParserConfigurationException was thrown. A feature is probably not supported by your XML processor. "
+              + e.getMessage());
+    }
+    final DocumentBuilder documentBuilder = factory.newDocumentBuilder();
     for (final URL url : getWebXmlUrls(facesContext)) {
       webXmls.add(getWebXml(documentBuilder, url));
     }