From 7ea365b93da7d54c7756ed0873ce09400f62339f Mon Sep 17 00:00:00 2001 From: "Stein.Codes" Date: Wed, 18 Oct 2023 05:54:01 +0000 Subject: [PATCH] refactor: Java Security Ultimate Scan 2023 Disclaimer: Automated Commit Alert Please be aware that this commit, generated through automated processes, may contain false alerts or not be precisely targeted. This automated commit is part of a large-scale effort to enhance software security over time. It is sent to various repositories to improve code quality and security. Exercise caution when reviewing the changes, and ensure that any necessary adjustments are made to maintain the integrity and functionality of the software. Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/MtR7dypUE?organizationId=SmVua2lucyBDSQ%3D%3D Co-authored-by: Moderne --- .../java/hudson/plugins/accurev/cmd/ChangeLogCmd.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/main/java/hudson/plugins/accurev/cmd/ChangeLogCmd.java b/src/main/java/hudson/plugins/accurev/cmd/ChangeLogCmd.java index 1295eeba..d905ae76 100644 --- a/src/main/java/hudson/plugins/accurev/cmd/ChangeLogCmd.java +++ b/src/main/java/hudson/plugins/accurev/cmd/ChangeLogCmd.java @@ -18,6 +18,7 @@ import java.util.Date; import java.util.Map; import java.util.logging.Logger; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -164,6 +165,13 @@ private static void applyWebURL( GetConfigWebURL webuiURL = webURL.get("webuiURL"); DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); + String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; + try { + documentBuilderFactory.setFeature(FEATURE, true); + } catch (ParserConfigurationException e) { + throw new IllegalStateException("ParserConfigurationException was thrown. The feature '" + + FEATURE + "' is not supported by your XML processor.", e); + } DocumentBuilder documentBuilder; try { documentBuilder = documentBuilderFactory.newDocumentBuilder(); @@ -196,6 +204,9 @@ private static void applyWebURL( DOMSource source = new DOMSource(document); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); Transformer transformer = transformerFactory.newTransformer(); StreamResult result = new StreamResult(changelogFile); transformer.transform(source, result);