fix: issue reported by CodeQL (#14936)

matrei · web-flow · commit 8dc40cd5dfd1 · 2025-07-29T16:34:49.000+02:00
Error from CodeQL:
Resolving XML external entity in user-controlled data
XML parsing depends on a without guarding against external
entity expansion.
diff --git a/grails-wrapper/src/main/java/grails/init/GrailsUpdater.java b/grails-wrapper/src/main/java/grails/init/GrailsUpdater.java
@@ -285,12 +285,10 @@ private static InputStream retrieveMavenMetadata(GrailsWrapperRepo repo, String
     }
 
     private GrailsVersion getRootVersion(GrailsWrapperRepo repo) throws IOException, SAXException, ParserConfigurationException {
-        SAXParserFactory factory = SAXParserFactory.newInstance();
-        SAXParser saxParser = factory.newSAXParser();
         RootMetadataHandler findLastReleaseHandler = new RootMetadataHandler(grailsWrapperHome.allowedReleaseTypes);
 
         try (InputStream stream = retrieveMavenMetadata(repo, repo.getRootMetadataUrl())) {
-            saxParser.parse(stream, findLastReleaseHandler);
+            createSAXParser().parse(stream, findLastReleaseHandler);
             List<GrailsVersion> foundVersions = findLastReleaseHandler.getVersions();
             if (foundVersions.isEmpty()) {
                 throw new IllegalStateException("No Grails Releases were found for the allowed types: " + grailsWrapperHome.allowedReleaseTypes.stream().map(Enum::name).collect(Collectors.joining(", ")));
@@ -306,12 +304,10 @@ private GrailsVersion getRootVersion(GrailsWrapperRepo repo) throws IOException,
     private String fetchSnapshotForVersion(GrailsWrapperRepo repo, GrailsVersion baseVersion) throws IOException, SAXException, ParserConfigurationException {
         System.out.println("...A Grails snapshot version has been detected. Downloading latest snapshot.");
 
-        SAXParserFactory factory = SAXParserFactory.newInstance();
-        SAXParser saxParser = factory.newSAXParser();
         FindLastSnapshotHandler findVersionHandler = new FindLastSnapshotHandler();
 
         try (InputStream stream = retrieveMavenMetadata(repo, repo.getMetadataUrl(baseVersion))) {
-            saxParser.parse(stream, findVersionHandler);
+            createSAXParser().parse(stream, findVersionHandler);
             return findVersionHandler.getVersion();
         }
     }
@@ -323,4 +319,15 @@ private static HttpURLConnection createHttpURLConnection(String mavenMetadataFil
         conn.setInstanceFollowRedirects(true);
         return conn;
     }
+
+    private static SAXParser createSAXParser() throws ParserConfigurationException, SAXException {
+        SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        factory.setXIncludeAware(false);
+        factory.setNamespaceAware(true);
+        return factory.newSAXParser();
+    }
 }
