Add more xxe preventions

1 files changed, 13 insertions, 1 deletions

diff --git a/searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java b/searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java
index 9780d4b0c17..d50a2e9773d 100644
--- a/searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java
+++ b/searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java
@@ -41,12 +41,24 @@ abstract class XmlHelper {
     public static Element parseXmlStream(InputStream in)
             throws ParserConfigurationException, IOException, SAXException
     {
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory factory = createDocumentBuilderFactory();
         DocumentBuilder builder = factory.newDocumentBuilder();
         Document doc = builder.parse(in);
         return doc.getDocumentElement();
     }
 
+    private static DocumentBuilderFactory createDocumentBuilderFactory() throws ParserConfigurationException {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setNamespaceAware(true);
+        factory.setXIncludeAware(false);
+
+        // XXE prevention
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        return factory;
+    }
+
     public static String getAttributeText(Node node, String name) {
         Node valueNode = node.getAttributes().getNamedItem(name);
         if (valueNode == null) {