Adding Sast scan issue recommended fixes (#281)

* Adding Sast scan issue recommended fixes * Adding Sast scan issue recommended fixes Signed-off-by: Arun Venmany <[email protected]> * Incorparating Review Comments Signed-off-by: Arun Venmany <[email protected]> * Incorparating Review Comments Signed-off-by: Arun Venmany <[email protected]> --------- Signed-off-by: Arun Venmany <[email protected]>
OpenLiberty · Aug 5, 2024 · 35c4e63 · 35c4e63
1 parent 5e55f1e
commit 35c4e63
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/lemminx-liberty/src/main/java/io/openliberty/tools/langserver/lemminx/util/DocumentUtil.java b/lemminx-liberty/src/main/java/io/openliberty/tools/langserver/lemminx/util/DocumentUtil.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
-* Copyright (c) 2023 IBM Corporation and others.
+* Copyright (c) 2023, 2024     IBM Corporation and others.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0 which is available at
@@ -26,6 +26,7 @@
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
@@ -43,6 +44,11 @@ public static Document getDocument(File inputFile) throws Exception {
             DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
             docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
             docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            docFactory.setXIncludeAware(false);
             docFactory.setNamespaceAware(true);
             docFactory.setExpandEntityReferences(false);
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();

diff --git a/liberty-ls/src/main/java/io/openliberty/tools/langserver/utils/XmlReader.java b/liberty-ls/src/main/java/io/openliberty/tools/langserver/utils/XmlReader.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
-* Copyright (c) 2023 IBM Corporation and others.
+* Copyright (c) 2023, 2024 IBM Corporation and others.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0 which is available at
@@ -21,6 +21,7 @@
 import java.util.Set;
 import java.util.logging.Logger;
 
+import javax.xml.XMLConstants;
 import javax.xml.stream.XMLEventReader;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
@@ -58,6 +59,8 @@ public static Map<String, String> getElementValues(File file, Set<String> elemen
             factory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE);
             factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
             factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+            factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
+
         } catch (Exception e) {
             LOGGER.warning("Could not set properties on XMLInputFactory.");
         }