From c4ab38fef3658a02315a00288b934bdd9981b3a4 Mon Sep 17 00:00:00 2001
From: Sven Jost <sven@wire.com>
Date: Fri, 25 Mar 2022 14:01:50 +0100
Subject: [PATCH] [SECURITY-1899]

---
 .../flakyTestHandler/junit/FlakySuiteResult.java    |  6 +++++-
 .../flakyTestHandler/junit/FlakyTestResult.java     | 13 +++----------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/src/main/java/com/google/jenkins/flakyTestHandler/junit/FlakySuiteResult.java b/src/main/java/com/google/jenkins/flakyTestHandler/junit/FlakySuiteResult.java
index 1ec9018..5adda8b 100644
--- a/src/main/java/com/google/jenkins/flakyTestHandler/junit/FlakySuiteResult.java
+++ b/src/main/java/com/google/jenkins/flakyTestHandler/junit/FlakySuiteResult.java
@@ -36,6 +36,7 @@
 import hudson.tasks.junit.CaseResult;
 import hudson.tasks.test.TestObject;
 import hudson.util.io.ParserConfigurator;
+import org.xml.sax.SAXException;
 
 /**
  * Result of one test suite augmented with flaky information.
@@ -101,11 +102,14 @@ public static class SuiteResultParserConfigurationContext {
    * This method returns a collection, as a single XML may have multiple &lt;testsuite>
    * elements wrapped into the top-level &lt;testsuites>.
    */
-  static List<FlakySuiteResult> parse(File xmlReport, boolean keepLongStdio) throws DocumentException, IOException, InterruptedException {
+  static List<FlakySuiteResult> parse(File xmlReport, boolean keepLongStdio) throws DocumentException, IOException, InterruptedException, SAXException {
     List<FlakySuiteResult> r = new ArrayList<FlakySuiteResult>();
 
     // parse into DOM
     SAXReader saxReader = new SAXReader();
+    saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     ParserConfigurator.applyConfiguration(saxReader,new SuiteResultParserConfigurationContext(xmlReport));
 
     Document result = saxReader.read(xmlReport);
diff --git a/src/main/java/com/google/jenkins/flakyTestHandler/junit/FlakyTestResult.java b/src/main/java/com/google/jenkins/flakyTestHandler/junit/FlakyTestResult.java
index 585e247..e8819e3 100644
--- a/src/main/java/com/google/jenkins/flakyTestHandler/junit/FlakyTestResult.java
+++ b/src/main/java/com/google/jenkins/flakyTestHandler/junit/FlakyTestResult.java
@@ -42,6 +42,7 @@
 import hudson.tasks.test.AbstractTestResultAction;
 import hudson.tasks.test.MetaTabulatedResult;
 import hudson.tasks.test.TestObject;
+import org.xml.sax.SAXException;
 
 /**
  * Root of all the test results for one build, including flaky runs information.
@@ -119,13 +120,7 @@ public FlakyTestResult(TestResult testResult) {
       try {
         suites.addAll(FlakySuiteResult.parse(new File(suiteResult.getFile()), true));
         testResultInstance = testResult;
-      } catch (DocumentException e) {
-        e.printStackTrace();
-      } catch (IOException e) {
-        e.printStackTrace();
-      } catch (InterruptedException e) {
-        e.printStackTrace();
-      } catch (NullPointerException e) {
+      } catch (DocumentException | IOException | InterruptedException | NullPointerException | SAXException e) {
         e.printStackTrace();
       }
     }
@@ -294,9 +289,7 @@ public void parse(File reportFile) throws IOException {
     try {
       for (FlakySuiteResult suiteResult : FlakySuiteResult.parse(reportFile, keepLongStdio))
         add(suiteResult);
-    } catch (InterruptedException e) {
-      throw new IOException("Failed to read "+reportFile,e);
-    } catch (RuntimeException e) {
+    } catch (InterruptedException | SAXException | RuntimeException e) {
       throw new IOException("Failed to read "+reportFile,e);
     } catch (DocumentException e) {
       if (!reportFile.getPath().endsWith(".xml")) {