Merge branch 'hotfix/1.1.5'

backend/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>ru.micord.ervu</groupId>
     <artifactId>eks</artifactId>
-    <version>1.1.4</version>
+    <version>1.1.5</version>
   </parent>
   <groupId>ru.micord.ervu.eks</groupId>
   <artifactId>backend</artifactId>

config-data-executor/pom.xml

@@ -6,7 +6,7 @@
   <parent>
     <groupId>ru.micord.ervu</groupId>
     <artifactId>eks</artifactId>
-    <version>1.1.4</version>
+    <version>1.1.5</version>
   </parent>
   <groupId>ru.micord.ervu.eks</groupId>
   <artifactId>config-data-executor</artifactId>

config-data-executor/src/main/java/org/micord/service/RequestService.java

@@ -23,6 +23,7 @@ import java.util.stream.IntStream;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 
+import jakarta.annotation.PostConstruct;
 import org.micord.config.ArangoDBConnection;
 import org.micord.config.DatabaseConnection;
 import org.micord.config.S3HttpConnection;
@@ -56,12 +57,18 @@ public class RequestService {
 
   private static final Logger logger = LoggerFactory.getLogger(RequestService.class);
 
+  private DocumentBuilderFactory secureDocumentFactory;
   @Autowired
   private HttpClient httpClient;
 
   @Autowired
   private ValidationService validationService;
 
+  @PostConstruct
+  public void init() {
+    secureDocumentFactory = createSecureDocumentBuilderFactory();
+  }
+
   private void processS3Request(S3Request request, RequestParameters parameters, Map<String, Boolean> validationResults) {
     logger.info("B. Starting processing of single S3 request");
     try {
@@ -219,8 +226,7 @@ public class RequestService {
 
   private void handleErrorResponse(HttpResponse<String> response, String file) {
     try {
-      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+      DocumentBuilder builder = secureDocumentFactory.newDocumentBuilder();
-      DocumentBuilder builder = factory.newDocumentBuilder();
       InputSource is = new InputSource(new StringReader(response.body()));
       Document doc = builder.parse(is);
       Element root = doc.getDocumentElement();
@@ -703,4 +709,14 @@ public class RequestService {
     }
   }
 
+  private DocumentBuilderFactory createSecureDocumentBuilderFactory() {
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    try {
+      factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    }
+    catch (Exception e) {
+      throw new RuntimeException("Failed to secure XML parser", e);
+    }
+    return factory;
+  }
 }

frontend/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu</groupId>
     <artifactId>eks</artifactId>
-    <version>1.1.4</version>
+    <version>1.1.5</version>
   </parent>
 
   <groupId>ru.micord.ervu.eks</groupId>

pom.xml

@@ -4,7 +4,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>ru.micord.ervu</groupId>
   <artifactId>eks</artifactId>
-  <version>1.1.4</version>
+  <version>1.1.5</version>
   <packaging>pom</packaging>
   <modules>
     <module>backend</module>

resources/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>ru.micord.ervu</groupId>
     <artifactId>eks</artifactId>
-    <version>1.1.4</version>
+    <version>1.1.5</version>
   </parent>
 
   <groupId>ru.micord.ervu.eks</groupId>