Set FEATURE_SECURE_PROCESSING for DocumentBuilderFactory

veraPDF · Nov 4, 2024 · 4932ddd · 4932ddd
1 parent d779eec
commit 4932ddd
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java b/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java
@@ -39,6 +39,7 @@
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -170,6 +171,11 @@ public static boolean isLegalExtension(final List<File> toCheck, final String[]
 
 	public static FeatureExtractorConfig mergeEnabledFeaturesFromPolicy(FeatureExtractorConfig currentConfig, InputStream policy) throws ParserConfigurationException, IOException, SAXException, XPathExpressionException {
 		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+		try {
+			dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+		} catch (Exception e) {
+			LOGGER.log(Level.WARNING, "Unable to secure policy processing");
+		}
 		dbf.setNamespaceAware(true);
 		DocumentBuilder db = dbf.newDocumentBuilder();
 		Document document = db.parse(policy);