From 7a913b9ff7e5a6acb0f4f4ec88d86da79db6af77 Mon Sep 17 00:00:00 2001
From: Federico Pellegrin <fede@evolware.org>
Date: Thu, 6 Feb 2020 17:03:49 +0100
Subject: [PATCH] SECURITY-1751: enable secure processing not to allow XXE
 exploit on XML files

---
 src/main/java/hudson/plugins/fitnesse/ConvertReport.java  | 3 +++
 src/main/java/hudson/plugins/fitnesse/FitnessePlugin.java | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/src/main/java/hudson/plugins/fitnesse/ConvertReport.java b/src/main/java/hudson/plugins/fitnesse/ConvertReport.java
index abc27f1..ca2ff56 100644
--- a/src/main/java/hudson/plugins/fitnesse/ConvertReport.java
+++ b/src/main/java/hudson/plugins/fitnesse/ConvertReport.java
@@ -5,6 +5,7 @@
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
+import javax.xml.*;
 import java.io.*;
 
 /**
@@ -18,6 +19,8 @@ public static void generateJunitResult(FilePath inputFilePath, FilePath outputFi
         Source stylesheetSource = new StreamSource(reader);
 
         TransformerFactory factory = TransformerFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
         Transformer transformer = factory.newTransformer(stylesheetSource);
 
         Source inputSource = new StreamSource(inputFilePath.read());
diff --git a/src/main/java/hudson/plugins/fitnesse/FitnessePlugin.java b/src/main/java/hudson/plugins/fitnesse/FitnessePlugin.java
index ad60cde..27c50f5 100644
--- a/src/main/java/hudson/plugins/fitnesse/FitnessePlugin.java
+++ b/src/main/java/hudson/plugins/fitnesse/FitnessePlugin.java
@@ -12,6 +12,7 @@
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.stream.StreamSource;
+import javax.xml.*;
 
 public class FitnessePlugin extends Plugin {
 	static Templates templates;
@@ -31,6 +32,7 @@ private static void initTemplate() throws TransformerFactoryConfigurationError,
 
 			StreamSource xslSource = new StreamSource(isDeBom);
 			TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			templates = transformerFactory.newTemplates(xslSource);
 		} finally {
 			if (is != null)