agent Spotbugs Fixes: XXE_DOCUMENT

littleaj · littleaj · commit f3136a3350d5 · 2019-12-27T18:51:55.000-08:00
Add secure processing feature to DocumentBuilder.
Ignore false positives.
diff --git a/agent/spotbugs.exclude.xml b/agent/spotbugs.exclude.xml
@@ -32,4 +32,10 @@
             </And>
         </Or>
     </Match>
+    <Match>
+        <Bug pattern="XXE_DOCUMENT" />
+        <!-- False Positive. This feature is set in createDocumentBuidler() -->
+        <Class name="com.microsoft.applicationinsights.agent.internal.config.builder.XmlAgentConfigurationBuilder" />
+        <Method name="getTopTag" />
+    </Match>
 </FindBugsFilter>
diff --git a/agent/src/main/java/com/microsoft/applicationinsights/agent/internal/config/builder/XmlAgentConfigurationBuilder.java b/agent/src/main/java/com/microsoft/applicationinsights/agent/internal/config/builder/XmlAgentConfigurationBuilder.java
@@ -26,6 +26,7 @@
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -238,8 +239,8 @@ private void addMethods(ClassInstrumentationData classData, Element classNode) {
     }
 
     private Element getTopTag(File configurationFile) throws ParserConfigurationException, IOException, SAXException {
-        DocumentBuilder builder = createDocumentBuilder();
         try (final FileInputStream fis = new FileInputStream(configurationFile)) {
+            DocumentBuilder builder = createDocumentBuilder();
             Document doc = builder.parse(fis);
             doc.getDocumentElement().normalize();
 
@@ -261,6 +262,7 @@ private DocumentBuilder createDocumentBuilder() throws ParserConfigurationExcept
         DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
         // mitigates CWE-611: https://cwe.mitre.org/data/definitions/611.html
         dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         dbFactory.setXIncludeAware(false);
         dbFactory.setExpandEntityReferences(false);
         return dbFactory.newDocumentBuilder();
