SECURITY-1751: enable secure processing not to allow XXE exploit on X…

…ML files
jenkinsci · Feb 8, 2020 · 7a913b9 · 7a913b9
1 parent 54bf52e
commit 7a913b9
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/src/main/java/hudson/plugins/fitnesse/ConvertReport.java b/src/main/java/hudson/plugins/fitnesse/ConvertReport.java
@@ -5,6 +5,7 @@
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
+import javax.xml.*;
 import java.io.*;
 
 /**
@@ -18,6 +19,8 @@ public static void generateJunitResult(FilePath inputFilePath, FilePath outputFi
         Source stylesheetSource = new StreamSource(reader);
 
         TransformerFactory factory = TransformerFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
         Transformer transformer = factory.newTransformer(stylesheetSource);
 
         Source inputSource = new StreamSource(inputFilePath.read());

diff --git a/src/main/java/hudson/plugins/fitnesse/FitnessePlugin.java b/src/main/java/hudson/plugins/fitnesse/FitnessePlugin.java
@@ -12,6 +12,7 @@
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.stream.StreamSource;
+import javax.xml.*;
 
 public class FitnessePlugin extends Plugin {
 	static Templates templates;
@@ -31,6 +32,7 @@ private static void initTemplate() throws TransformerFactoryConfigurationError,
 
 			StreamSource xslSource = new StreamSource(isDeBom);
 			TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			templates = transformerFactory.newTemplates(xslSource);
 		} finally {
 			if (is != null)