Merge pull request #1078 from NASA-PDS/alert-autofix-XEE

Fix code scanning alert no. 442: Resolving XML external entity in user-controlled data
NASA-PDS · Dec 10, 2024 · ca51b85 · ca51b85
2 parents 69c8689 + 3490f4e
commit ca51b85
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/main/java/gov/nasa/pds/tools/label/SchematronTransformer.java b/src/main/java/gov/nasa/pds/tools/label/SchematronTransformer.java
@@ -21,6 +21,7 @@
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.XMLConstants;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerConfigurationException;
@@ -61,6 +62,13 @@ public SchematronTransformer() throws TransformerConfigurationException {
 
   private Transformer buildIsoTransformer() throws TransformerConfigurationException {
     TransformerFactory isoFactory = TransformerFactory.newInstance();
+    try {
+      isoFactory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
+      isoFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+      isoFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+    } catch (TransformerConfigurationException e) {
+      throw new TransformerConfigurationException("Failed to configure TransformerFactory for secure processing", e);
+    }
     // Set the resolver that will look in the jar for imports
     isoFactory.setURIResolver(new XslURIResolver());
     // Load the isoSchematron stylesheet that will be used to transform each