[AAE-16206] XXE XML logic moved

Activiti · Sep 6, 2023 · 8e5cd84 · 8e5cd84
1 parent cf7c097
commit 8e5cd84
Showing 1 changed file with 17 additions and 5 deletions.
diff --git a/...ain/java/org/activiti/cloud/services/modeling/converter/ProcessModelContentConverter.java b/...ain/java/org/activiti/cloud/services/modeling/converter/ProcessModelContentConverter.java
@@ -15,8 +15,6 @@
  */
 package org.activiti.cloud.services.modeling.converter;
 
-import static org.activiti.bpmn.converter.util.BpmnXMLUtil.createSafeXmlInputFactory;
-
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStreamReader;
@@ -80,9 +78,6 @@ public Optional<BpmnProcessModelContent> convertToModelContent(BpmnModel bpmnMod
     public BpmnModel convertToBpmnModel(byte[] modelContent) {
         try (InputStreamReader reader = new InputStreamReader(new ByteArrayInputStream(modelContent))) {
             XMLInputFactory safeXmlInputFactory = createSafeXmlInputFactory();
-            if (safeXmlInputFactory.isPropertySupported("http://apache.org/xml/features/disallow-doctype-decl")) {
-                safeXmlInputFactory.setProperty("http://apache.org/xml/features/disallow-doctype-decl", true);
-            }
             XMLStreamReader xmlReader = safeXmlInputFactory.createXMLStreamReader(reader);
             return bpmnConverter.convertToBpmnModel(xmlReader);
         } catch (IOException ioError) {
@@ -94,6 +89,23 @@ public BpmnModel convertToBpmnModel(byte[] modelContent) {
         }
     }
 
+    private XMLInputFactory createSafeXmlInputFactory() {
+        XMLInputFactory xif = XMLInputFactory.newInstance();
+        if (xif.isPropertySupported("javax.xml.stream.isReplacingEntityReferences")) {
+            xif.setProperty("javax.xml.stream.isReplacingEntityReferences", false);
+        }
+
+        if (xif.isPropertySupported("javax.xml.stream.isSupportingExternalEntities")) {
+            xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+        }
+
+        if (xif.isPropertySupported("javax.xml.stream.supportDTD")) {
+            xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        }
+
+        return xif;
+    }
+
     @Override
     public FileContent overrideModelId(FileContent fileContent, Map<String, String> modelIdentifiers) {
         FileContent newFileContent;