Fix code scanning alert no. 6: Resolving XML external entity in user-controlled data

hazendaz · github-advanced-security[bot] · web-flow · commit 1559f3a85f42 · 2024-09-25T20:07:33.000-04:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/main/java/org/apache/ibatis/parsing/XPathParser.java b/src/main/java/org/apache/ibatis/parsing/XPathParser.java
@@ -231,13 +231,16 @@ private Document createDocument(InputSource inputSource) {
     try {
       DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
       factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+      factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
       factory.setValidating(validation);
 
       factory.setNamespaceAware(false);
       factory.setIgnoringComments(true);
       factory.setIgnoringElementContentWhitespace(false);
       factory.setCoalescing(false);
-      factory.setExpandEntityReferences(true);
+      factory.setExpandEntityReferences(false);
 
       DocumentBuilder builder = factory.newDocumentBuilder();
       builder.setEntityResolver(entityResolver);
