From 3902210fd91611d14edfa58cd2780644e6c04881 Mon Sep 17 00:00:00 2001
From: Ivan Fernandez Calvo <kuisathaverat@users.noreply.github.com>
Date: Sun, 23 Oct 2022 18:47:33 +0200
Subject: [PATCH] fix: disable external entities resolution (#276)

* fix: disable external entities resolution

* fix: disable external entities resolution
---
 .../org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java b/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java
index 18a5e07a..c6f4effa 100644
--- a/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java
+++ b/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java
@@ -135,6 +135,9 @@ public void updateIdPMetadata() throws IOException {
             URLConnection urlConnection = ProxyConfiguration.open(new URL(url));
             try (InputStream in = urlConnection.getInputStream()) {
                 TransformerFactory tf = TransformerFactory.newInstance();
+                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
                 tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
                 Transformer transformer = tf.newTransformer();
                 transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "no");