Merge pull request #4 from car-roll/commons-digester3

upgrade to commons-digester3
jenkinsci · May 5, 2021 · 1f97cde · 1f97cde
2 parents ed2068c + 306b304
commit 1f97cde
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/pom.xml b/pom.xml
@@ -62,6 +62,11 @@
   </repositories>
 
   <dependencies>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-digester3</artifactId>
+      <version>3.2</version>
+    </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>dashboard-view</artifactId>

diff --git a/src/main/java/com/vectorcast/plugins/vectorcastcoverage/CoverageReport.java b/src/main/java/com/vectorcast/plugins/vectorcastcoverage/CoverageReport.java
@@ -2,9 +2,10 @@
 
 import hudson.model.Run;
 import hudson.util.IOException2;
-import org.apache.commons.digester.Digester;
+import org.apache.commons.digester3.Digester;
 import org.xml.sax.SAXException;
 
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -27,7 +28,7 @@ public CoverageReport(VectorCASTBuildAction action, InputStream... xmlReports) t
         int idx = 0;
         for (InputStream is: xmlReports) {
           try {
-            createDigester().parse(is);
+            createDigester(!Boolean.getBoolean(this.getClass().getName() + ".UNSAFE")).parse(is);
             idx += 1;
           } catch (SAXException e) {
               throw new IOException2("Failed to parse XML:" + idx,e);
@@ -40,7 +41,7 @@ public CoverageReport(VectorCASTBuildAction action, InputStream... xmlReports) t
     public CoverageReport(VectorCASTBuildAction action, File xmlReport) throws IOException {
         this(action);
         try {
-            createDigester().parse(xmlReport);
+            createDigester(!Boolean.getBoolean(this.getClass().getName() + ".UNSAFE")).parse(xmlReport);
         } catch (SAXException e) {
             throw new IOException2("Failed to parse "+xmlReport,e);
         }
@@ -64,8 +65,19 @@ public Run<?,?> getBuild() {
     /**
      * Creates a configured {@link Digester} instance for parsing report XML.
      */
-    private Digester createDigester() {
+    private Digester createDigester(boolean secure) throws SAXException {
         Digester digester = new Digester();
+        if (secure) {
+            digester.setXIncludeAware(false);
+            try {
+                digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            } catch (ParserConfigurationException ex) {
+                throw new SAXException("Failed to securely configure xml digester parser", ex);
+            }
+        }
         digester.setClassLoader(getClass().getClassLoader());
 
         digester.push(this);