fix: disable external entities resolution (#276)

* fix: disable external entities resolution * fix: disable external entities resolution
jenkinsci · Oct 23, 2022 · 3902210 · 3902210
1 parent 79bc2d7
commit 3902210
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java b/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java
@@ -135,6 +135,9 @@ public void updateIdPMetadata() throws IOException {
             URLConnection urlConnection = ProxyConfiguration.open(new URL(url));
             try (InputStream in = urlConnection.getInputStream()) {
                 TransformerFactory tf = TransformerFactory.newInstance();
+                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
                 tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
                 Transformer transformer = tf.newTransformer();
                 transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "no");