[secure] Make sure secure processing on document builder factory

mybatis · Sep 25, 2024 · f885bad · f885bad
1 parent 67e21de
commit f885bad
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/pom.xml b/pom.xml
@@ -23,7 +23,7 @@
     <groupId>org.mybatis</groupId>
     <artifactId>mybatis-parent</artifactId>
     <version>45</version>
-    <relativePath/>
+    <relativePath />
   </parent>
 
   <groupId>org.mybatis</groupId>

diff --git a/src/main/java/com/ibatis/common/xml/NodeletParser.java b/src/main/java/com/ibatis/common/xml/NodeletParser.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004-2022 the original author or authors.
+ * Copyright 2004-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
 import java.io.Reader;
 import java.util.*;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.FactoryConfigurationError;
@@ -195,6 +196,7 @@ private void processNodelet(Node node, String pathString) {
   private Document createDocument(Reader reader)
       throws ParserConfigurationException, FactoryConfigurationError, SAXException, IOException {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     factory.setValidating(validation);
 
     factory.setNamespaceAware(false);
@@ -241,6 +243,7 @@ public void warning(SAXParseException exception) throws SAXException {
   private Document createDocument(InputStream inputStream)
       throws ParserConfigurationException, FactoryConfigurationError, SAXException, IOException {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     factory.setValidating(validation);
 
     factory.setNamespaceAware(false);

diff --git a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004-2023 the original author or authors.
+ * Copyright 2004-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,6 +39,7 @@
 import java.util.Arrays;
 import java.util.List;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 
@@ -452,6 +453,7 @@ protected Object validateParameter(Object param) throws SQLException {
   private Document stringToDocument(String s) {
     try {
       DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+      documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
       return documentBuilder.parse(new ReaderInputStream(new StringReader(s)));
     } catch (Exception e) {