From a036e646af3ccf40047d6df092e79059991d866a Mon Sep 17 00:00:00 2001
From: Maxim <maxplusim@mail.ru>
Date: Mon, 4 Nov 2024 14:40:44 +0300
Subject: [PATCH] Set FEATURE_SECURE_PROCESSING for DocumentBuilderFactory

---
 .../main/java/org/verapdf/apps/utils/ApplicationUtils.java  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java b/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java
index 9b6c6b74..41591ba7 100644
--- a/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java
+++ b/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java
@@ -19,6 +19,7 @@
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -150,6 +151,11 @@ public static boolean isLegalExtension(final List<File> toCheck, final String[]
 
 	public static FeatureExtractorConfig mergeEnabledFeaturesFromPolicy(FeatureExtractorConfig currentConfig, InputStream policy) throws ParserConfigurationException, IOException, SAXException, XPathExpressionException {
 		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+		try {
+			dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+		} catch (Exception e) {
+			LOGGER.log(Level.WARNING, "Unable to secure policy processing");
+		}
 		dbf.setNamespaceAware(true);
 		DocumentBuilder db = dbf.newDocumentBuilder();
 		Document document = db.parse(policy);