From 9e8225746cd8d831bb3af7cee683cdf449dd251f Mon Sep 17 00:00:00 2001
From: Jeremy Landis <jeremylandis@hotmail.com>
Date: Thu, 26 Sep 2024 01:20:29 -0400
Subject: [PATCH] Fix code scanning alert no. 4: Resolving XML external entity
 in user-controlled data

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/main/java/com/ibatis/common/xml/NodeletParser.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/com/ibatis/common/xml/NodeletParser.java b/src/main/java/com/ibatis/common/xml/NodeletParser.java
index 3c9fb586..5c7706f2 100644
--- a/src/main/java/com/ibatis/common/xml/NodeletParser.java
+++ b/src/main/java/com/ibatis/common/xml/NodeletParser.java
@@ -248,6 +248,9 @@ private Document createDocument(InputStream inputStream)
       throws ParserConfigurationException, FactoryConfigurationError, SAXException, IOException {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
     factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
     factory.setValidating(validation);