LogRecords.java, line 146 (XML External Entity Injection) - Fortify

jisedlac · jisedlac · commit d3228737fec1 · 2019-03-06T19:22:00.000+01:00
diff --git a/visualvm/libs.profiler/profiler.snaptracer/src/org/graalvm/visualvm/lib/profiler/snaptracer/logs/LogRecords.java b/visualvm/libs.profiler/profiler.snaptracer/src/org/graalvm/visualvm/lib/profiler/snaptracer/logs/LogRecords.java
@@ -129,6 +129,8 @@ public static void scan(InputStream is, Handler h) throws IOException {
             try{
                 f.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
                 f.setFeature("http://apache.org/xml/features/continue-after-fatal-error", true); // NOI18N
+                f.setFeature("http://xml.org/sax/features/external-general-entities", false); // NOI18N
+                f.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // NOI18N
             }catch (SAXNotRecognizedException snre){
                 LOG.log(Level.INFO, null, snre);
             }

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,8 @@ public static void scan(InputStream is, Handler h) throws IOException {`
`129`	`129`	`try{`
`130`	`130`	`f.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);`
`131`	`131`	`f.setFeature("http://apache.org/xml/features/continue-after-fatal-error", true); // NOI18N`
	`132`	`+ f.setFeature("http://xml.org/sax/features/external-general-entities", false); // NOI18N`
	`133`	`+ f.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // NOI18N`
`132`	`134`	`}catch (SAXNotRecognizedException snre){`
`133`	`135`	`LOG.log(Level.INFO, null, snre);`
`134`	`136`	`}`