diff --git a/backend/pom.xml b/backend/pom.xml
index 7fc7719..f3efba0 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -5,7 +5,7 @@
ru.micord.ervu
eks
- 1.1.4
+ 1.1.5
ru.micord.ervu.eks
backend
diff --git a/config-data-executor/pom.xml b/config-data-executor/pom.xml
index a82a7e7..7a0c8bd 100644
--- a/config-data-executor/pom.xml
+++ b/config-data-executor/pom.xml
@@ -6,7 +6,7 @@
ru.micord.ervu
eks
- 1.1.4
+ 1.1.5
ru.micord.ervu.eks
config-data-executor
diff --git a/config-data-executor/src/main/java/org/micord/service/RequestService.java b/config-data-executor/src/main/java/org/micord/service/RequestService.java
index ea810f9..73a73d0 100644
--- a/config-data-executor/src/main/java/org/micord/service/RequestService.java
+++ b/config-data-executor/src/main/java/org/micord/service/RequestService.java
@@ -23,6 +23,7 @@ import java.util.stream.IntStream;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import jakarta.annotation.PostConstruct;
import org.micord.config.ArangoDBConnection;
import org.micord.config.DatabaseConnection;
import org.micord.config.S3HttpConnection;
@@ -56,12 +57,18 @@ public class RequestService {
private static final Logger logger = LoggerFactory.getLogger(RequestService.class);
+ private DocumentBuilderFactory secureDocumentFactory;
@Autowired
private HttpClient httpClient;
@Autowired
private ValidationService validationService;
+ @PostConstruct
+ public void init() {
+ secureDocumentFactory = createSecureDocumentBuilderFactory();
+ }
+
private void processS3Request(S3Request request, RequestParameters parameters, Map validationResults) {
logger.info("B. Starting processing of single S3 request");
try {
@@ -219,8 +226,7 @@ public class RequestService {
private void handleErrorResponse(HttpResponse response, String file) {
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- DocumentBuilder builder = factory.newDocumentBuilder();
+ DocumentBuilder builder = secureDocumentFactory.newDocumentBuilder();
InputSource is = new InputSource(new StringReader(response.body()));
Document doc = builder.parse(is);
Element root = doc.getDocumentElement();
@@ -703,4 +709,14 @@ public class RequestService {
}
}
+ private DocumentBuilderFactory createSecureDocumentBuilderFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ try {
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ }
+ catch (Exception e) {
+ throw new RuntimeException("Failed to secure XML parser", e);
+ }
+ return factory;
+ }
}
diff --git a/frontend/pom.xml b/frontend/pom.xml
index 456c755..961fece 100644
--- a/frontend/pom.xml
+++ b/frontend/pom.xml
@@ -4,7 +4,7 @@
ru.micord.ervu
eks
- 1.1.4
+ 1.1.5
ru.micord.ervu.eks
diff --git a/pom.xml b/pom.xml
index bde114a..b2c8af9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
4.0.0
ru.micord.ervu
eks
- 1.1.4
+ 1.1.5
pom
backend
diff --git a/resources/pom.xml b/resources/pom.xml
index 9a054e2..63f2172 100644
--- a/resources/pom.xml
+++ b/resources/pom.xml
@@ -4,7 +4,7 @@
ru.micord.ervu
eks
- 1.1.4
+ 1.1.5
ru.micord.ervu.eks