Merge pull request #180 from splunk/DVPL-7631

bparmar-splunk · web-flow · commit b10bc8d6a980 · 2021-12-07T10:02:27.000+05:30
External Entities restricted in XML factory.
diff --git a/splunk/src/main/java/com/splunk/Xml.java b/splunk/src/main/java/com/splunk/Xml.java
@@ -52,6 +52,10 @@ public static Document parse(InputStream input, boolean silent) {
         try {
             DocumentBuilderFactory factory =
                 DocumentBuilderFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setExpandEntityReferences(false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
             factory.setNamespaceAware(false);
             DocumentBuilder builder = factory.newDocumentBuilder();
             if (silent)
diff --git a/splunk/src/main/java/com/splunk/modularinput/InputDefinition.java b/splunk/src/main/java/com/splunk/modularinput/InputDefinition.java
@@ -175,6 +175,10 @@ public static InputDefinition parseDefinition(InputStream stream) throws ParserC
             IOException, SAXException, MalformedDataException {
         DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
         documentBuilderFactory.setIgnoringElementContentWhitespace(true);
+        documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        documentBuilderFactory.setExpandEntityReferences(false);
+        documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
         DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
         Document doc = documentBuilder.parse(stream);
 
diff --git a/splunk/src/main/java/com/splunk/modularinput/ValidationDefinition.java b/splunk/src/main/java/com/splunk/modularinput/ValidationDefinition.java
@@ -194,6 +194,10 @@ public static ValidationDefinition parseDefinition(InputStream stream) throws Pa
             IOException, SAXException, MalformedDataException {
         DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
         documentBuilderFactory.setIgnoringElementContentWhitespace(true);
+        documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        documentBuilderFactory.setExpandEntityReferences(false);
+        documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
         DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
         Document doc = documentBuilder.parse(stream);
 
