diff --git a/everrest-core/src/main/java/org/everrest/core/impl/provider/DOMSourceEntityProvider.java b/everrest-core/src/main/java/org/everrest/core/impl/provider/DOMSourceEntityProvider.java
index 9151ca88..c6af5c7b 100644
--- a/everrest-core/src/main/java/org/everrest/core/impl/provider/DOMSourceEntityProvider.java
+++ b/everrest-core/src/main/java/org/everrest/core/impl/provider/DOMSourceEntityProvider.java
@@ -35,6 +35,8 @@
import java.lang.annotation.Annotation;
import java.lang.reflect.Type;
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
/**
* @author Andrey Parfonov
* @version $Id: DOMSourceEntityProvider.java 285 2009-10-15 16:21:30Z aparfonov
@@ -63,6 +65,12 @@ public DOMSource readFrom(Class type,
InputStream entityStream) throws IOException {
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ try {
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+ } catch (Throwable ignored) {}
factory.setNamespaceAware(true);
Document d = factory.newDocumentBuilder().parse(entityStream);
return new DOMSource(d);
@@ -102,7 +110,9 @@ public void writeTo(DOMSource t,
OutputStream entityStream) throws IOException {
StreamResult out = new StreamResult(entityStream);
try {
- TransformerFactory.newInstance().newTransformer().transform(t, out);
+ TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setFeature(FEATURE_SECURE_PROCESSING, true); //it's enough there
+ factory.newTransformer().transform(t, out);
} catch (TransformerConfigurationException e) {
throw new IOException("Can't write to output stream " + e);
} catch (TransformerException e) {
diff --git a/everrest-core/src/main/java/org/everrest/core/impl/provider/SAXSourceEntityProvider.java b/everrest-core/src/main/java/org/everrest/core/impl/provider/SAXSourceEntityProvider.java
index 49a21e83..620a447b 100644
--- a/everrest-core/src/main/java/org/everrest/core/impl/provider/SAXSourceEntityProvider.java
+++ b/everrest-core/src/main/java/org/everrest/core/impl/provider/SAXSourceEntityProvider.java
@@ -30,6 +30,8 @@
import java.lang.annotation.Annotation;
import java.lang.reflect.Type;
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
/**
* @author Andrey Parfonov
* @version $Id: SAXSourceEntityProvider.java 285 2009-10-15 16:21:30Z aparfonov
@@ -80,7 +82,9 @@ public void writeTo(SAXSource t,
OutputStream entityStream) throws IOException {
StreamResult out = new StreamResult(entityStream);
try {
- TransformerFactory.newInstance().newTransformer().transform(t, out);
+ TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+ factory.newTransformer().transform(t, out);
} catch (TransformerConfigurationException e) {
throw new IOException("Can't write to output stream " + e);
} catch (TransformerException e) {
diff --git a/everrest-core/src/main/java/org/everrest/core/impl/provider/StreamSourceEntityProvider.java b/everrest-core/src/main/java/org/everrest/core/impl/provider/StreamSourceEntityProvider.java
index 90689aaf..a3c2aced 100644
--- a/everrest-core/src/main/java/org/everrest/core/impl/provider/StreamSourceEntityProvider.java
+++ b/everrest-core/src/main/java/org/everrest/core/impl/provider/StreamSourceEntityProvider.java
@@ -28,6 +28,8 @@
import java.lang.annotation.Annotation;
import java.lang.reflect.Type;
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
/**
* @author andrew00x
*/
@@ -75,7 +77,9 @@ public void writeTo(StreamSource t,
OutputStream entityStream) throws IOException {
StreamResult out = new StreamResult(entityStream);
try {
- TransformerFactory.newInstance().newTransformer().transform(t, out);
+ TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+ factory.newTransformer().transform(t, out);
} catch (TransformerException | TransformerFactoryConfigurationError e) {
throw new IOException("Can't write to output stream " + e);
}
diff --git a/everrest-core/src/main/java/org/everrest/core/impl/provider/XSLTTemplatesContextResolver.java b/everrest-core/src/main/java/org/everrest/core/impl/provider/XSLTTemplatesContextResolver.java
index b287831a..48205830 100644
--- a/everrest-core/src/main/java/org/everrest/core/impl/provider/XSLTTemplatesContextResolver.java
+++ b/everrest-core/src/main/java/org/everrest/core/impl/provider/XSLTTemplatesContextResolver.java
@@ -30,6 +30,8 @@
import java.util.HashMap;
import java.util.Map;
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
/**
* Provide cache for transformation templates.
*
@@ -86,6 +88,7 @@ public void addAsTemplate(String name, Source source) throws IOException, SAXExc
}
synchronized (templates) {
SAXTransformerFactory factory = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
+ factory.setFeature(FEATURE_SECURE_PROCESSING, true);
TemplatesHandler templateHandler = factory.newTemplatesHandler();
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
if (resolver != null) {
diff --git a/everrest-core/src/main/java/org/everrest/core/tools/ErrorPages.java b/everrest-core/src/main/java/org/everrest/core/tools/ErrorPages.java
index eaed1253..eca5733d 100644
--- a/everrest-core/src/main/java/org/everrest/core/tools/ErrorPages.java
+++ b/everrest-core/src/main/java/org/everrest/core/tools/ErrorPages.java
@@ -30,6 +30,8 @@
import java.util.HashMap;
import java.util.Map;
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
/**
* Describes error-page references for web application in web.xml file.
*
@@ -58,8 +60,14 @@ protected void loadErrorPages(ServletContext servletContext, Map loadRoles(ServletContext servletContext) throws UnhandledE
return Collections.emptySet();
}
try {
- DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
- Document dom = documentBuilder.parse(input);
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ try {
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+ } catch (Throwable ignored) {}
+ Document dom = factory.newDocumentBuilder().parse(input);
XPathFactory xpathFactory = XPathFactory.newInstance();
XPath xpath = xpathFactory.newXPath();
NodeList all = (NodeList)xpath.evaluate("/web-app/security-role/role-name", dom, XPathConstants.NODESET);