2424import org .jdom2 .output .Format ;
2525import org .jdom2 .output .XMLOutputter ;
2626
27+ import javax .xml .XMLConstants ;
2728import javax .xml .transform .*;
2829import javax .xml .transform .stream .StreamResult ;
2930import javax .xml .transform .stream .StreamSource ;
@@ -137,7 +138,6 @@ public static Document readXML(Reader reader, String schemaLocation, String pars
137138 builder = new SAXBuilder ("org.apache.xerces.parsers.SAXParser" , true );
138139 builder .setFeature ("https://xml.org/sax/features/validation" , true );
139140 builder .setFeature ("https://apache.org/xml/features/validation/schema" , true );
140- builder .setFeature ("https://apache.org/xml/features/disallow-doctype-decl" , true ); // disable potential attack vector https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java
141141 builder .setErrorHandler (errorHandler );
142142 builder .setProperty (schemaLocationPropName , schemaLocation );
143143 } else { //ignore schemaLocationPropName
@@ -148,7 +148,8 @@ public static Document readXML(Reader reader, String schemaLocation, String pars
148148 }
149149 builder .setErrorHandler (errorHandler );
150150 }
151- sDoc = builder .build (reader );
151+ builder .setFeature (XMLConstants .FEATURE_SECURE_PROCESSING , true ); // https://semgrep.dev/docs/cheat-sheets/java-xxe
152+ sDoc = builder .build (reader );
152153 // ----- Element root = null;
153154 // ----- root = sDoc.getRootElement();
154155 // flush/replace previous error log with every read.
0 commit comments