From 31fcfbd43a616c8926c93c655a0bc67d1f3e3cca Mon Sep 17 00:00:00 2001
From: Olyutorskii <olyutorskii@users.osdn.me>
Date: Sat, 29 Jun 2019 00:30:08 +0900
Subject: [PATCH] Secured internal XML reading.

---
 .../java/jp/sfjp/mikutoga/typical/I18nAlias.java   | 24 ++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java b/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java
index 4c4de31..5942a41 100644
--- a/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java
+++ b/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java
@@ -14,6 +14,7 @@ import java.util.Collections;
 import java.util.Comparator;
 import java.util.LinkedList;
 import java.util.List;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -43,6 +44,15 @@ class I18nAlias {
     public static final Comparator<I18nAlias> ORDER_COMPARATOR =
             new OrderComparator();
 
+    private static final String F_DISALLOW_DOCTYPE_DECL =
+            "http://apache.org/xml/features/disallow-doctype-decl";
+    private static final String F_EXTERNAL_GENERAL_ENTITIES =
+            "http://xml.org/sax/features/external-general-entities";
+    private static final String F_EXTERNAL_PARAMETER_ENTITIES =
+            "http://xml.org/sax/features/external-parameter-entities";
+    private static final String F_LOAD_EXTERNAL_DTD =
+            "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
 
     private int orderNo;
 
@@ -110,6 +120,20 @@ class I18nAlias {
         DocumentBuilderFactory factory;
         factory = DocumentBuilderFactory.newInstance();
 
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false);
+        factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false);
+        factory.setFeature(F_LOAD_EXTERNAL_DTD, false);
+
+        // unsafe but we use DOCTYPE
+        factory.setFeature(F_DISALLOW_DOCTYPE_DECL, false);
+
+        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+
+        factory.setXIncludeAware(false);
+        factory.setExpandEntityReferences(false);
+
         DocumentBuilder builder = factory.newDocumentBuilder();
         Document doc = builder.parse(is);
 
-- 
2.11.0