Fixed security vulnerabilities identified by sonarqube

marinier · marinier · commit ae6a2ecf1c86 · 2022-05-15T15:29:01.000-04:00
diff --git a/jsoar-core/src/main/java/org/jsoar/kernel/io/xml/AbstractXmlFileToWme.java b/jsoar-core/src/main/java/org/jsoar/kernel/io/xml/AbstractXmlFileToWme.java
@@ -8,6 +8,7 @@
 import java.io.File;
 import java.io.IOException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -125,6 +126,8 @@ protected Element getRootElement(File f)
         try
         {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document dom = db.parse(f);
             return dom.getDocumentElement();
diff --git a/jsoar-core/src/main/java/org/jsoar/util/XmlTools.java b/jsoar-core/src/main/java/org/jsoar/util/XmlTools.java
@@ -12,6 +12,7 @@
 import java.io.Reader;
 import java.io.StringReader;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -54,6 +55,8 @@ public class XmlTools
     public static DocumentBuilder createDocumentBuilder()
     {
         final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
         try
         {
            return docFactory.newDocumentBuilder();
@@ -99,6 +102,8 @@ public static void write(Node node, OutputStream out) throws IOException
         try
         {
             TransformerFactory xformFactory = TransformerFactory.newInstance();
+            xformFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            xformFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
             Transformer idTransform = xformFactory.newTransformer();
             idTransform.setOutputProperty(OutputKeys.VERSION, "1.0");
             idTransform.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
