HDFS-16410. Insecure Xml parsing in OfflineEditsXmlLoader (apache#3854)

hotcodemacha · aajisaka · commit b567dcd05f95 · 2022-01-11T02:16:08.000+09:00
Contributed by Ashutosh Gupta (cherry picked from commit 43e5218)
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java
@@ -86,6 +86,10 @@ public OfflineEditsXmlLoader(OfflineEditsVisitor visitor,
   public void loadEdits() throws IOException {
     try {
       XMLReader xr = XMLReaderFactory.createXMLReader();
+      xr.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+      xr.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+      xr.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      xr.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
       xr.setContentHandler(this);
       xr.setErrorHandler(this);
       xr.setDTDHandler(null);
