From 6602daab1eebeb97ab1ebe514afbcccc7f39b61c Mon Sep 17 00:00:00 2001
From: Jeremy Landis <jeremylandis@hotmail.com>
Date: Wed, 25 Sep 2024 20:14:18 -0400
Subject: [PATCH 1/2] Fix code scanning alert no. 3: Resolving XML external
 entity in user-controlled data

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/main/java/com/ibatis/common/xml/NodeletParser.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/ibatis/common/xml/NodeletParser.java b/src/main/java/com/ibatis/common/xml/NodeletParser.java
index cf6f754e..e25c0c2a 100644
--- a/src/main/java/com/ibatis/common/xml/NodeletParser.java
+++ b/src/main/java/com/ibatis/common/xml/NodeletParser.java
@@ -199,13 +199,16 @@ private Document createDocument(Reader reader)
     factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
     factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setValidating(validation);
 
     factory.setNamespaceAware(false);
     factory.setIgnoringComments(true);
     factory.setIgnoringElementContentWhitespace(false);
     factory.setCoalescing(false);
-    factory.setExpandEntityReferences(true);
+    factory.setExpandEntityReferences(false);
 
     DocumentBuilder builder = factory.newDocumentBuilder();
     builder.setEntityResolver(entityResolver);

From 34b8758bcbf4862bcfa51dead419c9395535bd67 Mon Sep 17 00:00:00 2001
From: Jeremy Landis <jeremylandis@hotmail.com>
Date: Wed, 25 Sep 2024 20:14:55 -0400
Subject: [PATCH 2/2] Update NodeletParser.java

---
 src/main/java/com/ibatis/common/xml/NodeletParser.java | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/main/java/com/ibatis/common/xml/NodeletParser.java b/src/main/java/com/ibatis/common/xml/NodeletParser.java
index e25c0c2a..ecc6b719 100644
--- a/src/main/java/com/ibatis/common/xml/NodeletParser.java
+++ b/src/main/java/com/ibatis/common/xml/NodeletParser.java
@@ -199,9 +199,6 @@ private Document createDocument(Reader reader)
     factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
     factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setValidating(validation);
 
     factory.setNamespaceAware(false);