From 7ce4cb8aa5fd87697a401670d8deb521088f614a Mon Sep 17 00:00:00 2001
From: "Marvin S. Addison" <serac@vt.edu>
Date: Tue, 25 Jun 2019 08:01:46 -0400
Subject: [PATCH] Provide for secure XML processing.

Follow recommendations at https://wiki.shibboleth.net/confluence/x/XoEYAw
which are consistent with recommendations on #191 to prevent XXE vectors.

Resolves #191
See https://github.com/apereo/java-cas-client/issues/191
---
 .../java/org/jasig/cas/client/util/XmlUtils.java  | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/util/XmlUtils.java b/cas-client-core/src/main/java/org/jasig/cas/client/util/XmlUtils.java
index 219a340..6d8bb65 100644
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/XmlUtils.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/XmlUtils.java
@@ -61,6 +61,7 @@ public final class XmlUtils {
         final Map<String, Boolean> features = new HashMap<String, Boolean>();
         features.put(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        features.put("http://apache.org/xml/features/disallow-doctype-decl", true);
         for (final Map.Entry<String, Boolean> entry : features.entrySet()) {
             try {
                 factory.setFeature(entry.getKey(), entry.getValue());
@@ -68,6 +69,7 @@ public final class XmlUtils {
                 LOGGER.warn("Failed setting XML feature {}: {}", entry.getKey(), e);
             }
         }
+        factory.setExpandEntityReferences(false);
         factory.setNamespaceAware(true);
         try {
             return factory.newDocumentBuilder().parse(new InputSource(new StringReader(xml)));
@@ -83,11 +85,14 @@ public final class XmlUtils {
      */
     public static XMLReader getXmlReader() {
         try {
-            final XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
-            reader.setFeature("http://xml.org/sax/features/namespaces", true);
-            reader.setFeature("http://xml.org/sax/features/namespace-prefixes", false);
-            reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-            return reader;
+            final SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setNamespaceAware(true);
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            return factory.newSAXParser().getXMLReader();
         } catch (final Exception e) {
             throw new RuntimeException("Unable to create XMLReader", e);
         }